Security Basics

Up

Levels of security. Each level depends upon the rows indented below it.

  • Web Application Security
    • Server Security
      • Network Security
      • O.S. Security
        • Physical Security

Tomcat security basics

Make sure you machine has user accounts with good passwords, particularly for root account. Also

  • Remove guest accounts
  • Restrict sensitive files (like password files) to single user
  • Ensure root-owned files are not world readable or writeable
  • Log failed login attempts
  • Disable unneeded services or daemons

Always run a service either as its own user or as the special user nobody.

authentication
process and mechanism of identifying users as who they claim to be
authorization
process of deciding what areas of an application an authenticated user can access, done through roles
roles
assign to users and map to application pages or resources

Authentication and authorization defined at Web application level. They rely on Tomcat to provide the actual mechanism, called container-managed security.

Tomcat provides 3 different authentication mechanisms, called realms.

  1. using a simple file (known as the memory realm)
  2. using a database table
  3. using LDAP (Lightweight Directory Access Protocol) server (the LDAP realm is called the JNDI - Java Naming Directory Interface - realm)

It is possible to define authentication mechanisms at many levels:

  • server
  • engine
  • host
  • application

Since Tomcat is a Java process, can also user the Java Security Manager, which requires maintaining a policy file.

Running Tomcat as nobody user

You must change the file ownerships to the nobody user and then run it as the nobody user; e.g., 

 
sudo chown -R nobody /usr/local/lib/tomcat
sudo chgrp -R nogroup /usr/local/lib/tomcat

sudo -u nobody catalina.sh start

Tomcat 5 Authentication Example using memory realm (file-based authentication store)

  1. Set up password file (in $CATALINA_HOME/conf)
  2. create user account with digested password
  3. configure memory realm in server.xml
  4. edit the web.xml file for the application

Creating a digested password. Can use any of three different algorithms. SHA1 is the strongest. 

 
./digest.sh -a sha1 secret
secret:e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4
./digest.sh -a md5 secret
secret:5ebe2294ecd0e0f08eab7690d2a6ee69
./digest.sh -a md2 secret
secret:aa1865139a1caceabfa45e6635aa7761

Here is a sample password file. For our example it is called unleashed-users.xml. 

 
<?xml version="1.0" encoding="utf-8"?>
<tomcat-users>
    <role rolename="tester" />
    <user username="admin" password="e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4" roles="tester" />
</tomcat-users>

Then the server.xml file needs to be updated as follows: 

 
      <Host name="localhost" debug="0" appBase="/usr/local/lib/webapps"
        unpackWARs="true" autoDeploy="false" deployOnStartup="false">

        <Realm className="org.apache.catalina.realm.MemoryRealm" debug="0"
            digest="SHA" pathname="conf/unleashed-users.xml" />

        <Logger className="org.apache.catalina.logger.FileLogger"
                 directory="logs"  prefix="localhost_log." suffix=".txt"
            timestamp="true"/>

      </Host>

The web.xml for our test Web application is updated as follows: 

 
<web-app>
    <display-name>Tomcat Unleashed Examples Application</display-name>
    <description>
        The example application for Tomcat Unleashed
    </description>

    <security-constraint>
        <display-name>Authentication Test</display-name>
        <web-resource-collection>
            <web-resource-name>Resources</web-resource-name>
            <url-pattern>/resources.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>tester</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Unleashed</realm-name>
    </login-config>
</web-app>

Possible values for the <auth-method> tag are:

BASIC
Prompts user with Javascript prompt
FORM
Prompts user with HTML form, defined in <form-login-config> block defined in the same <login-config> block
DIGEST
Prompts user with Javascript prompt but expects brower to return a digested password (I.E. only).
CLIENT-CERT
Requires a client-side SSL certificate.

The <realm-name> in the <login-config> block is not a Tomcat realm. It is what is displayed when prompted for a login.


Page last modified on October 06, 2005, at 02:01 PM