Product Description

Jakarta Tomcat is not only a commonly used open source servlet engine, it's become the de factor standard by which other servlet engines are measured. Powerful and flexible, it can be used as a standalone web server or in conjunction with another server, like Apache or IIS, to run servlets or JSPs. But mastery of Tomcat is not easy: because it's as complex as it is complete. This guide answers vexing questions that users, administrators, and developers alike have been asking. This concise guide provides much needed information to help harness Tomcat's power and wealth of features. "Tomcat: The Definitive Guide" offers something for everyone who uses Tomcat. System and network administrators will find detailed instructions on installation, configuration, and maintenance. For users, it supplies insightful information on how to deploy Tomcat. And seasoned enterprise Java developers will have a complete reference to setting up, running, and using this powerful software. The book begins with an introduction to the Tomcat server and includes an overview of the three types of server configurations: stand-alone, in-process, and out-of-process. The authors show how directories are laid out, cover the initial setup, and describe how to set the environment variables and modify the configuration files, concluding with common errors, problems, and solutions. In subsequent chapters, they cover: the server.xml configuration file Java Security manager Authentication schemes and Tomcat users The Secure Socket Layer (SSL) Tomcat JDBC Realms Installing servletsand Java Server Pages Integrating Tomcat with Apache, IIS, and other servers Advanced Tomcat configuration and more. "Tomcat: The Definitive Guide" covers all major platforms, including Windows, Unix, Linux, and Mac OS X, contains details on Tomcat configuration files, and has a quick-start guide to get developers up and running with Java servlets and JavaServer Pages. If you've struggled with this powerful yet demanding technology in the past, this book should provide the answers you need.

Product Details

• Amazon Sales Rank: #159510 in Books
• Published on: 2007-10-23
• Original language: English
• Number of items: 1
• Binding: Paperback
• 476 pages

About the Author
Jason Brittain is a Senior Principal Software Engineer for Orbital Sciences Corporation, working at NASA's Ames Research Center on the Kepler Space Telescope mission (http://kepler.nasa.gov).

Jason is a co-author of Tomcat: The Definitive Guide, now in its second edition, and has written some web articles for O'Reilly's OnJava.com web site.

Before joining the team on the Kepler mission, Jason was a Senior Software Engineer at Symantec Corporation working on the Brightmail AntiSpam appliance product line's control center web application.

Jason's specialties include Java software development, Tomcat web application development and deployment, scalability and fault tolerance, and Apache Ant build systems, and Linux system administration. He has contributed to many Apache Jakarta projects, and has been an active open source software developer for several years.

Ian Darwin has worked in the computer industry for three decades: with Unix since 1980, Java since 1995, and OpenBSD since 1998. He wrote the freeware file(1) command used on Linux and BSD and is the author of "Checking C Programs" with "Lint and Java Cookbook", as well as over 70 articles, in addition to university and commercial course material on C and Unix. Besides programming and consulting, Ian teaches Unix, C, and Java for Learning Tree International, one of the world's largest technical training companies.

Excerpted from Tomcat: the Definitive Guide by Ian F. Darwin, Jasonn Brittain. Copyright © 2003. Reprinted by permission. All rights reserved.
Chapter 6 - Tomcat Security

Introduction
Everyone needs to be concerned about security, even if you’re just a mom-and-pop shop or someone running a personal web site with Tomcat. Once you’re connected to the big bad Internet, it is important to be proactive about security. There are a number of ways that bad guys can mess up your system if you aren’t. Worse, they can use your system as a launching pad for attacks on other sites.

In this chapter, we detail what security is and how to improve it in Tomcat. Still, lest you have any misconceptions, there is no such thing as a perfectly secure computer, unless it is powered off, encased in concrete, and guarded by both a live guard with a machine gun and a self-destruct mechanism in case the guard is overpowered. Of course, a perfectly secure computer is also a perfectly unusable computer. What you want is for your computer system to be "secure enough."

A key part of security is encryption. E-commerce, or online sales, became one of the killer applications for the Web in the late 1990s. Sites such as eBay.com and Dell Computer handle hundreds of millions of dollars in retail and business transactions over the Internet. Of course, these sites are driven by programs, oftentimes the servlets and JSPs that run within a container like Tomcat. So, security of your Tomcat server is a priority.

This chapter briefly covers the basics of securing a server machine that runs Tomcat, and then goes on to discuss security within Tomcat. We look at operating systems (which OS you run does make a difference) and programming language issues. Next, we tell you about the conflicting security policies of Apache httpd and Tomcat. Then, we show how Tomcat’s built-in SecurityManager works and how to configure and use a security policy within Tomcat. We then go over the details of chrooting Tomcat for OS-level security. Next, we discuss filtering out bad user input and show you a Tomcat Valve that you can use to filter out malicious code. Finally, we show you how to configure the Tomcat standalone web server to use SSL so that it runs as a secure (HTTPS) web server.

Securing the System
There is an old saying that "a chain is only as strong as its weakest link." This certainly applies to security. If your system can be breached at any point, it is insecure. So, you do need to consider the operating system, both to choose a good one (such as OpenBSD, which has had only one known remote security hole in its default installation in about six years) and to configure it well.

As a general rule, the more people that use any given operating system and read its source code, the more security holes can be found and fixed. That’s both good and bad. It’s good for those who stay up-to-date with known security holes and spend the time to upgrade their OS with the relevant fixes; it’s bad for those who never fix the holes that become public knowledge. For the latter, malicious users will devise exploits for those holes. Regardless of what OS you choose, you must be proactive about watching for and patching the security holes in your operating system.

Customer Reviews

Gets you started
Nitpick: Many examples are literally the content of files as shipped from rpm.so getting the admin application going required a bit of role name guesswork or a trawl through the the online docs.

Gives you the options on the configuring,connecting to db's/apache etc. Not really a tutorial, more of an ideas cookbook. Something I shall refer to as I demand more from Tomcat.

It is nice to have a concise text in one place on the subject.

Useful book
I quite like this book, not too terse and not too verbose. Useful as a reference book but with enough explanation to get you going if you're not familiar with the topic. Light years better than the online documentation but, given that the online documentation is often unreadable, that's not a particularly demanding benchmark. A useful and reliable guide.