Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "FAQ/Security" page has been changed by KonstantinKolinko: http://wiki.apache.org/tomcat/FAQ/Security?action=diff&rev1=11&rev2=12 Comment: Correct typo in Q4 title. Convert answer titles to use Header 3 markup. == Questions == 1. [[#Q1|How do I use OpenSSL to set up my own Certificate Authority (CA)?]] - 1. [[#Q2|OH NO! PORT 8005 is available for anyone on localhost to shutdown my tomcat!]] + 1. [[#Q2|Oh no! Port 8005 is available for anyone on localhost to shutdown my tomcat!]] 1. [[#Q3|What about Tomcat running as root?]] 1. [[#Q4|How do I force all my pages to run under HTTPS?]] 1. [[#Q5|What is the default login for the manager and admin app?]] @@ -23, +23 @@ == Answers == + <<Anchor(Q1)>> - <<Anchor(Q1)>>'''How do I use OpenSSL to set up my own Certificate Authority (CA)?''' + === How do I use OpenSSL to set up my own Certificate Authority (CA)? === [[http://marc.info/?l=tomcat-user&m=106293430225790&w=2|Using OpenSSL to set up your own CA]]. + <<Anchor(Q2)>> - <<Anchor(Q2)>>'''OH NO! PORT 8005 is available for anyone on localhost to shutdown my tomcat!''' + === Oh no! Port 8005 is available for anyone on localhost to shutdown my tomcat! === See these 2 discussions. * [[http://marc.info/?t=104396653200003&r=1&w=2|Possible to switch off tcp/ip server shutdown?]] * [[http://marc.info/?t=103126643200005&r=1&w=2|Tomcat shutdown & security]] - <<Anchor(Q3)>>'''What about Tomcat running as root?''' + <<Anchor(Q3)>> + === What about Tomcat running as root? === See these threads: * [[http://marc.info/?t=104516038700003&r=1&w=2|Tomcat as root and security issues]] + <<Anchor(Q4)>> - <<Anchor(Q4)>>'''How to I force all my pages to run under HTTPS?''' + === How do I force all my pages to run under HTTPS? === [[http://marc.info/?l=tomcat-user&m=104951559722619&w=2|Use security-constraint in web.xml]]. + <<Anchor(Q5)>> - <<Anchor(Q5)>>'''What is the default login for the manager and admin app?''' + === What is the default login for the manager and admin app? === The admin and manager application do not provide a default login. Doing so is a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml if you are using the default install. [[http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring%20Manager%20Application%20Access|Configuring Manager Application Access]] + <<Anchor(Q6)>> - <<Anchor(Q6)>>'''How do I restrict access by ip address or remote host?''' + === How do I restrict access by ip address or remote host? === By using the {{{RemoteHostValve}}} or {{{RemoteAddrValve}}}. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! See also {{{RemoteIpValve}}}. [[http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html|Valve Reference Link]] + <<Anchor(Q7)>> - <<Anchor(Q7)>>'''How do I use jsvc/procrun to run Tomcat on port 80 securely?''' + === How do I use jsvc/procrun to run Tomcat on port 80 securely? === Fairly easily ;) See the Setup page in the docs for your tomcat release, and read [[http://marc.info/?l=tomcat-user&m=108566020231438&w=2|this mailing list post]] for a complete setup example with permissions etc. + <<Anchor(Q8)>> - <<Anchor(Q8)>>'''Has Tomcat's security been independently analyzed or audited?''' + === Has Tomcat's security been independently analyzed or audited? === Yes, by numerous organizations and individuals, many times. Try [[http://www.google.com/search?q=is+tomcat+secure|this Google search]] and you'll see many references, guides, and analyses. + <<Anchor(Q9)>> - <<Anchor(Q9)>>'''How do I change the Server header in the response?''' + === How do I change the Server header in the response? === In `server.xml` - add a "server" attribute to the Connector element. http://tomcat.apache.org/tomcat-6.0-doc/config/http.html - <<Anchor(Q10)>>'''Why are passwords in plain text?''' + <<Anchor(Q10)>> + === Why are passwords in plain text? === We have a page dedicated to this topic. [[FAQ/Password]] --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
