Chapter 14: Tomcat Security groups and the operations
Chapter 14: Tomcat Security groups and the operations that the users/groups are permitted to perform. The set of allowed operations for a user or group is that entity s permissions. By default, Windows allows all users to access any resource in the file system, with the exception of sensitive areas, such as the Windows directory itself and the profile resources of other users. For the purposes of securing a Tomcat installation, these permissions are too liberal. The instructions in this section are intentionally minimal because this blog is not intended for use as a Windows administration guide. Restricting Permissions To accomplish the stated goal of reducing tomcat s permissions to the minimum required, all default permissions granted to the account must be revoked. To do this, the tomcataccount must be explicitly denied access to every resource in the file system, and then selectively granted access to the necessary resources. Use the following steps to revoke tomcat s permissions: 1. Right-click the first drive partition in the My Computer window. 2. Select the Properties context menu item. 3. Select the Security tab. 4. Click the Add button. 5. Select the tomcataccount. 6. Click every Deny check box. 7. Click the Advanced button. 8. Select the Reset permissions on all child objects and enable propagation of inheritable permissions check box. 9. Click OK. 10. Wait while Windows modifies every ACL in the partition s file system. 11. Repeat these steps with all partitions. Granting Permissions To do its job, the tomcat account must have permission to read and execute the JRE files. Thus, the next step in the process is to grant these permissions to the tomcataccount. This is accomplished by a similar process to the one discussed previously. To start, select the directory containing the JRE used to run Tomcat, and view the Security properties of the directory. The tomcat account should be present in the list of groups and users. Removing the tomcat account with the Remove button is sufficient to grant access to run Tomcat. Propagating this change to all child objects is also necessary using the same process discussed previously. For maximum security, the Everyone group should be removed from the JRE directory s ACL, and the tomcatuser should be added to it, and given only the following permissions: Read & Execute, List Folder Contents, and Read. However, this necessitates explicitly granting these permissions to every
For high quality website hosting services please check java web hosting website.