Book Description
Product Description
It takes a book as versatile as its subject to cover Apache Tomcat, the popular open source Servlet and JSP container and high performance web server. Tomcat: The Definitive Guide is a valuable reference for administrators and webmasters, a useful guide for programmers who want to use Tomcat as their web application server during development or in production, and an excellent introduction for anyone interested in Tomcat.
Updated for the latest version of Tomcat, this new edition offers a complete guide to installing, configuring, maintaining and securing this servlet container. In fact, with such a wealth of new information, this is essentially a new book rather than a simple revision. You will find details for using Tomcat on all major platforms, including Windows, Linux, OS X, Solaris, and FreeBSD, along with specifics on Tomcat configuration files, and step-by-step advice for deploying and running web applications.
This book offers complete information for:
- Installation and startup procedures
- Configuring Tomcat-including realms, roles, users, servlet sessions, and JNDI resources including JDBC DataSources
- Deploying web applications-individual servlets and JSP pages, and web application archive files
- Tuning Tomcat to measure and improve performance
- Integrating Tomcat with Apache Web Server
- Securing Tomcat to keep online thugs at bay
- Tomcat configuration files-server.xml and web.xml, and more
- Debugging and Troubleshooting-diagnosing problems with Tomcat or a web application
- Compiling your own Tomcat, rather than using the pre-built release
- Running two or more Tomcat servlet containers in parallel
About the Author
Jason Brittain is a Senior Principal Software Engineer for Orbital Sciences Corporation, working at NASA's Ames Research Center on the Kepler Space Telescope mission (http://kepler.nasa.gov).
Jason is a co-author of Tomcat: The Definitive Guide, now in its second edition, and has written some web articles for O'Reilly's OnJava.com web site.
Before joining the team on the Kepler mission, Jason was a Senior Software Engineer at Symantec Corporation working on the Brightmail AntiSpam appliance product line's control center web application.
Jason's specialties include Java software development, Tomcat web application development and deployment, scalability and fault tolerance, and Apache Ant build systems, and Linux system administration. He has contributed to many Apache Jakarta projects, and has been an active open source software developer for several years.
Ian Darwin has worked in the computer industry for three decades: with Unix since 1980, Java since 1995, and OpenBSD since 1998. He wrote the freeware file(1) command used on Linux and BSD and is the author of "Checking C Programs" with "Lint and Java Cookbook" (both O'Reilly), as well as over 70 articles, in addition to university and commercial course material on C and Unix. Besides programming and consulting, Ian teaches Unix, C, and Java for Learning Tree International, one of the world's largest technical training companies.
Excerpted from Tomcat: the Definitive Guide by Ian F. Darwin, Jasonn Brittain. Copyright © 2003. Reprinted by permission. All rights reserved.
Introduction
Everyone needs to be concerned about security, even if you’re just a mom-and-pop shop or someone running a personal web site with Tomcat. Once you’re connected to the big bad Internet, it is important to be proactive about security. There are a number of ways that bad guys can mess up your system if you aren’t. Worse, they can use your system as a launching pad for attacks on other sites.
In this chapter, we detail what security is and how to improve it in Tomcat. Still, lest you have any misconceptions, there is no such thing as a perfectly secure computer, unless it is powered off, encased in concrete, and guarded by both a live guard with a machine gun and a self-destruct mechanism in case the guard is overpowered. Of course, a perfectly secure computer is also a perfectly unusable computer. What you want is for your computer system to be "secure enough."
A key part of security is encryption. E-commerce, or online sales, became one of the killer applications for the Web in the late 1990s. Sites such as eBay.com and Dell Computer handle hundreds of millions of dollars in retail and business transactions over the Internet. Of course, these sites are driven by programs, oftentimes the servlets and JSPs that run within a container like Tomcat. So, security of your Tomcat server is a priority.
This chapter briefly covers the basics of securing a server machine that runs Tomcat, and then goes on to discuss security within Tomcat. We look at operating systems (which OS you run does make a difference) and programming language issues. Next, we tell you about the conflicting security policies of Apache httpd and Tomcat. Then, we show how Tomcat’s built-in SecurityManager works and how to configure and use a security policy within Tomcat. We then go over the details of chrooting Tomcat for OS-level security. Next, we discuss filtering out bad user input and show you a Tomcat Valve that you can use to filter out malicious code. Finally, we show you how to configure the Tomcat standalone web server to use SSL so that it runs as a secure (HTTPS) web server.
Securing the System
There is an old saying that "a chain is only as strong as its weakest link." This certainly applies to security. If your system can be breached at any point, it is insecure. So, you do need to consider the operating system, both to choose a good one (such as OpenBSD, which has had only one known remote security hole in its default installation in about six years) and to configure it well.
As a general rule, the more people that use any given operating system and read its source code, the more security holes can be found and fixed. That’s both good and bad. It’s good for those who stay up-to-date with known security holes and spend the time to upgrade their OS with the relevant fixes; it’s bad for those who never fix the holes that become public knowledge. For the latter, malicious users will devise exploits for those holes. Regardless of what OS you choose, you must be proactive about watching for and patching the security holes in your operating system. --This text refers to an alternate Paperback edition.
