Chapter 14: Tomcat Security In addition, by default,
Chapter 14: Tomcat Security In addition, by default, all Java applications do have read access to the directory in which they are located, including its subdirectories. Securing Web Applications The previous sections have been concerned with securing the Tomcat server instance, the underlying operating system resources, and the Java platform. Up until this point, you have not examined any techniques to secure specific Web applications running in the Tomcat instance. In this section, we consider techniques for securing individual Web applications. These techniques fall under the following categories: . Authentication and Realms . Encryption . Host Restriction Note that these techniques can also be applied to Tomcat s built-in system applications. The techniques described here are often called declarative security measures. They are declarative because you apply them by modifying XML configuration files, typically the application s web.xmlfile, and apply them declaratively. This is in contrast to programmatic security, in which Java coding is used within a Web application to perform security checks. Both of these terms are official Java EE terminology and concepts. As an example of programmatic security, a sensitive Web application can check, using Java coding, to make sure that any user accessing itself must have the role of manager (or higher) before allowing access. An in-depth discussion of declarative security is beyond the scope of this blog, but any Java EE 5 book should have in-depth exploration into programmatic security. Note that many applications designed for running in Tomcat do not enforce programmatic security, and do not use declarative security in their web.xml file. These applications, for the most part, are vulnerable. You can add a minimal level of security by enforcing user authentication via the techniques shown in this section. Authentication and Realms Authentication is the process of determining and validating the identity of an application s client. The Servlet specification provides integration with the Java Authentication and Authorization Service (JAAS) API. This enables Web applications to authenticate their users in a standard way that is portable across different Servlet containers. Some Java developers have been known to eschew open standards in favor of their own. It is entirely possible (and indeed somewhat common) for Servlet developers to authenticate users via some homegrown mechanism, rather than via the JAAS/Servlet standard mechanism discussed subsequently in this section. System administrators should be aware that in such circumstances, this section will be of little utility. Tomcat provides a Realm mechanism, mandated in the Servlet specification, to assist Web applications in the implementation of user authentication. Essentially, Realms hold authentication information that can be accessed via either programmatic security, or via declarative security (configuration files). Details of the available Realms are explored later in this chapter.
If you looking for unlimited one inclusive web hosting plan please check unlimited web hosting website.