Apache Tomcat Security Handbook

Tomcat is the official reference implementation for the Java servlet and JavaServer Pages technologies and has long been heralded as an excellent platform for the development and deployment of powerful Web applications. It can either run as a stand-alone server or integrate itself with the Apache webserver to add more power to its static content serving capability.

With more and more Tomcat servers finding their way into production, there is a definitive need for Tomcat servers to run with a secure policy; and in that respect, security is becoming more of an imperative than just a policy definition. A definitive security policy is a benchmark for analyzing the amount of trust that you can place on JSP pages, web applications, and the permissions that you can grant to install them. It is also your best line of defense against the potential vulnerabilities that can be impacted by Trojan Java packages, JSP tag libraries and webapplications.

This book is targeted at Tomcat developers, who are contemplating use of Tomcat for production-level deployment and the one's that have already taken to embracing this promising option. We will assume a working knowledge of Java web applications, competence with JSPs and servlets. Very precisely, the core target reader will be the experienced tomcat developer, who wants to know the potential problem spaces that exist within the tomcat security domain and the options that are available to circumvent these problem spaces.