JIRA 4.3 : Tomcat security best practices
This page last changed on Apr 19, 2010 by rosie@atlassian.com.
The following outlines some basic techniques to secure an Apache Tomcat instance. This is a basic must-do list and should not be considered comprehensive. For more advanced security topics see the "Further Information" section below. User PermissionsTomcat should never be run as a privileged user (root on UNIX or Admistrator or Local System on Windows). Tomcat should be run as a low-privilege user. Ideally it should be run as a user created only for the purpose of running one application. In practice this means you can't run it on port 80. If you need to run Tomcat on port 80, you should put it behind a webserver such as Apache; see Integrating JIRA with Apache for an example configuration. Unix/Linux cheat-sheet
Windows cheat-sheet
Tomcat Installation PermissionsThe Tomcat installation directory (sometimes referred to as CATALINA_HOME) should be installed as a user that is different to the one it will be run as. Under Linux, unpacking the Tomcat distribution as root is the simplest method of doing this. Unfortunately, Tomcat does require write access to some directories in the distribution directory, but they should be enabled only as needed. Tomcat ships with some default admin applications in its webapps directory. Unless you need these they should be disabled. Unix/Linux cheat-sheet
Windows cheat-sheetNote: If your host is part of a Domain/Active Directory, consult your Windows system administrator sysadmins to get the right permissions.
Web-Application Installation PermissionsThe directory you unpack the application WAR into should not be writable by the Tomcat user (i.e. jira-tomcat in the examples above). Again, the simplest method to do this is to unpack the WAR as root. Unix/Linux cheat-sheet
Windows cheat-sheet
Further Information![]() ![]() ![]() ![]() |
![]() |
Document generated by Confluence on Mar 27, 2011 18:49 |