Presented by Mark Thomas, committer on Tomcat for five years

There have generally been few Tomcat threats in the wild (at least that have been reported). One in July 2008 was reported that was hackers installing a webapp, always named fex*.war (* for something - anything). It allowed hackers to get access to a shell on your server. If you were running as root, game over. The way this was being installed was through deployed servers with a Tomcat admin that had not been secured (blank or default passwords). This is obviously a very poor idea.

How can you protect yourself against Tomcat security attacks? Read more to find out.

The first rule of thumb is to make sure you have taken your standard precautions, such as OS hardening, firewalls, etc. Next, uninstall all of the default Tomcat applications, which are much better used in development environments (docs / examples / host-manager / manager / default ROOT application). You can run Tomcat in a security manager, but this is not a well tested method - you will need to completely test your application before deploying with it.

Tomcat is reasonably secure by default. One of the first things you can do is get rid of most of server.xml, including comments, to make it easier to read, etc. Using port="-1" disables a <Server ... /> tag. The shutdown port should obviously use a strong password (long, and random). Another tip, not necessarily related to security, but to availability is that the <Listener ... /> tag is not well supported natively on Solaris. 

Note on the following points - there was a lot to cover, and he was moving through it quickly. These notes are a bit sparse, but are his recommended best practices. He said to email the users list if you have further questions.

<Connector .. />

AJP specific configuration:

<Host ... />

<Context ... />

<Valve ... />

<Realm ... />

<Manager ... />

System properties

Other points: