Tomcat security

  • Configure security
  • Application security
  • Transport security
    • The HTTPS protocol
      • The SSL protocol
      • HTTPS versus HTTP
      • Advantages of the HTTP protocol
    • Tomcat configuration HTTPS

Configure security

  • After Tomcat is installed, delete the files in the Webapps directory and disable the Tomcat management interface

  • Comment out or delete permissions for users in the tomcat-users. XML file

  • Change or disable the Tomcat listening directive:

    • The port directive to turn off Tomcat instance listening is defined in Tomcat server.xml. The default port is 8005

    • At this point, you can SHUTDOWN the Tomcat instance by using the default SHUTDOWN command after listening to Telnet connect to the port. Here the instance is closed, but the process exists

    • So you need to modify the Tomcat listening command:

      • Plan 1: Change the default port number and command
      <Server port="8886" shudown="tomcat_shutdown">
Copy the code
      • Option 2: Disable the port on which Tomcat listens for the close instance instruction
      <Server port="1" shutdown="SHUTDOWN">
Copy the code

  • Custom error pages:

    • Customize error pages 404.html and 500.html in the webapps/ROOT directory
    • Then configure the error page in tomcat/conf/web.xml
    <error-page>
	<error-code>404</error-code>
	<location>404.html</location>
</error-page>

<error-page>
	<error-code>500</error-code>
	<location>500.html</location>
</error-page>
Copy the code

Application security

  • In most Web applications, especially in the background application system, the security management permission module is implemented to control the security access of the system

  • Application security consists of two parts:

    • Certification:

      • The login
      • Single sign-on (sso)

    • Authorization:

      • Functional authority
      • Data access

  • For a business system, you can customize a set of permission modules of the business system, or directly use some fully functional security frameworks to integrate them into web applications, such as SpringSecurity and Apache Shiro

Transport security

The HTTPS protocol

  • HTTPS: Hypertext Transfer Protocol Secure

    • HTTPS is a secure network transmission protocol
    • The HTTPS protocol adds SSL or TLS to the HTTP protocol for data encryption to protect exchanged data from leakage or theft

The SSL protocol

  • SSL and TLS are encryption protocols used to secure network communication, allowing clients and servers to communicate over secure links

  • The SSL protocol has the following features:

    • Privacy: Encryption of data transmitted over SSL links
    • Authentication: The identification of the communication parties, at least one of which needs to be verified. It is usually optional
    • Integrity: Checks the integrity of transmitted data

  • Encryption and decryption is a computationally expensive process from a performance perspective, so there is no need to use SSL links for the entire Web application. In actual deployment, only the pages requiring secure encryption need to be selected, that is, the pages requiring sensitive information to be transmitted use SSL communication

HTTPS versus HTTP

  • For HTTPS, you need to apply for an SSL certificate from a certificate authority (CA) and bind it to the domain name. For HTTP, you do not need to apply for a certificate
  • HTTPS is a transmission protocol with SSL encryption security. It encrypts data transmission and is equivalent to the upgraded version of HTTP, which is a hypertext transmission protocol and an application-layer information transmission protocol
  • HTTPS and HTTP use completely different connection modes and use different default ports. HTTPS uses port 8443. HTTP uses port 8080
  • HTTPS is a network protocol based on SSL and HTTP that encrypts transmission and authenticates identities. HTTPS is more secure than HTTP, which is a simple protocol for stateless connection

Advantages of the HTTP protocol

  • Improve site ranking, which is conducive to SEO
  • Privacy information is encrypted to prevent traffic hijacking
  • Browser trusted

Tomcat configuration HTTPS

  • Generate a keystore file: A keystore file is generated in the current folder after you enter the password and password of the key store
keytool -genkey -alias tomcat -keyalg RSA -keystore tomcatkey.keystore
Copy the code
  • Copy the tomcatkey.keystore file to the tomcat/conf directory
  • Configure HTTPS in tomcat/conf/server. XML
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" schema="https" SSLEnabled="true">
	<SSLHostConfig certificateVerification="false">
		<Certificate certificateKeystoreFile="conf/tomcatkey.keystore" certificateKeystorePassword="tomcat" type="RSA"></Certificate>
	</SSLHostConfig>
</Connector>
Copy the code
  • You can access Tomcat at https://localhost:8443 using HTTPS