Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "FAQ/Security" page has been changed by KonstantinKolinko: https://wiki.apache.org/tomcat/FAQ/Security?action=diff&rev1=16&rev2=17 Comment: Improve links. Add note on CVE-2009-3548 === Links === * Known vulnerabilities [[http://tomcat.apache.org/security.html]] - * Security considerations (Apache Tomcat 7 documentation) [[http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html]] + * Security considerations (Tomcat documentation) - [[http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html|Tomcat 8]], [[http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html|Tomcat 7]] == Questions == 1. [[#Q1|How do I use OpenSSL to set up my own Certificate Authority (CA)?]] @@ -58, +58 @@ <<Anchor(Q5)>> === What is the default login for the manager and admin app? === - The admin and manager application do not provide a default login. Doing so is a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml if you are using the default install. [[http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Configuring%20Manager%20Application%20Access|Configuring Manager Application Access]] + The admin and manager application do not provide a default login. Doing so would be a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml file if you are using the default install. See [[http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access|Configuring Manager Application Access]] for details. + + Note that there exists malware that tries to guess the manager password. + + There was once a bug that blindly clicking-trough the Windows installer configured a manager user with blank password ([[http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24|CVE-2009-3548]]). This was fixed by April 2010 (Tomcat 5.5.29, 6.0.24 and later are safe). <<Anchor(Q6)>> === How do I restrict access by ip address or remote host? === - By using the {{{RemoteHostValve}}} or {{{RemoteAddrValve}}}. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! See also {{{RemoteIpValve}}}. [[http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html|Valve Reference Link]] + By using the {{{RemoteHostValve}}} or {{{RemoteAddrValve}}}. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! See also {{{RemoteIpValve}}}. [[http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Access_Control|Valve Reference Link]] <<Anchor(Q7)>> === How do I use jsvc/procrun to run Tomcat on port 80 securely? === --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
