webapps/docs/security-howto.html

<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 7 (7.0.42) - Security Considerations</title><style type="text/css" media="print">
            .noPrint {display: none;}
            td#mainBody {width: 100%;}
        </style><style type="text/css">
            code {background-color:rgb(224,255,255);padding:0 0.1em;}
            code.attributeName, code.propertyName {background-color:transparent;}
        </style><style type="text/css">
            .wrapped-source code { display: block; background-color: transparent; }
            .wrapped-source div { margin: 0 0 0 1.25em; }
            .wrapped-source p { margin: 0 0 0 1.25em; text-indent: -1.25em; }
        </style><style type="text/css">
            p.notice {
                border: 1px solid rgb(255, 0, 0);
                background-color: rgb(238, 238, 238);
                color: rgb(0, 51, 102);
                padding: 0.5em;
                margin: 1em 2em 1em 1em;
            }
        </style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="right" alt="
      The Apache Tomcat Servlet/JSP Container
    " border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font face="arial,helvetica,sanserif">Version 7.0.42, Jul 2 2013</font></td><td><!--APACHE LOGO--><a href="http://www.apache.org/"><img src="./images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap class="noPrint"><p><strong>Links</strong></p><ul><li><a href="index.html">Docs Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a href="#comments_section">User Comments</a></li></ul><p><strong>User Guide</strong></p><ul><li><a href="introduction.html">1) Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="appdev/index.html">3) First webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="manager-howto.html">5) Manager</a></li><li><a href="realm-howto.html">6) Realms and AAA</a></li><li><a href="security-manager-howto.html">7) Security Manager</a></li><li><a href="jndi-resources-howto.html">8) JNDI Resources</a></li><li><a href="jndi-datasource-examples-howto.html">9) JDBC DataSources</a></li><li><a href="class-loader-howto.html">10) Classloading</a></li><li><a href="jasper-howto.html">11) JSPs</a></li><li><a href="ssl-howto.html">12) SSL</a></li><li><a href="ssi-howto.html">13) SSI</a></li><li><a href="cgi-howto.html">14) CGI</a></li><li><a href="proxy-howto.html">15) Proxy Support</a></li><li><a href="mbeans-descriptor-howto.html">16) MBean Descriptor</a></li><li><a href="default-servlet.html">17) Default Servlet</a></li><li><a href="cluster-howto.html">18) Clustering</a></li><li><a href="balancer-howto.html">19) Load Balancer</a></li><li><a href="connectors.html">20) Connectors</a></li><li><a href="monitoring.html">21) Monitoring and Management</a></li><li><a href="logging.html">22) Logging</a></li><li><a href="apr.html">23) APR/Native</a></li><li><a href="virtual-hosting-howto.html">24) Virtual Hosting</a></li><li><a href="aio.html">25) Advanced IO</a></li><li><a href="extras.html">26) Additional Components</a></li><li><a href="maven-jars.html">27) Mavenized</a></li><li><a href="security-howto.html">28) Security Considerations</a></li><li><a href="windows-service-howto.html">29) Windows Service</a></li><li><a href="windows-auth-howto.html">30) Windows Authentication</a></li><li><a href="jdbc-pool.html">31) Tomcat's JDBC Pool</a></li><li><a href="web-socket-howto.html">32) WebSocket</a></li></ul><p><strong>Reference</strong></p><ul><li><a href="RELEASE-NOTES.txt">Release Notes</a></li><li><a href="config/index.html">Configuration</a></li><li><a href="api/index.html">Tomcat Javadocs</a></li><li><a href="servletapi/index.html">Servlet Javadocs</a></li><li><a href="jspapi/index.html">JSP 2.2 Javadocs</a></li><li><a href="elapi/index.html">EL 2.2 Javadocs</a></li><li><a href="http://tomcat.apache.org/connectors-doc/">JK 1.2 Documentation</a></li></ul><p><strong>Apache Tomcat Development</strong></p><ul><li><a href="building.html">Building</a></li><li><a href="changelog.html">Changelog</a></li><li><a href="http://wiki.apache.org/tomcat/TomcatVersions">Status</a></li><li><a href="developers.html">Developers</a></li><li><a href="architecture/index.html">Architecture</a></li><li><a href="funcspecs/index.html">Functional Specs.</a></li><li><a href="tribes/introduction.html">Tribes</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody"><h1>Security Considerations</h1><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Table of Contents"><!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td></tr><tr><td><blockquote>
<ul><li><a href="#Introduction">Introduction</a></li><li><a href="#Non-Tomcat_settings">Non-Tomcat settings</a></li><li><a href="#Default_web_applications">Default web applications</a></li><li><a href="#Security_manager">Security manager</a></li><li><a href="#server.xml">server.xml</a><ol><li><a href="#server.xml/General">General</a></li><li><a href="#Server">Server</a></li><li><a href="#Listeners">Listeners</a></li><li><a href="#Connectors">Connectors</a></li><li><a href="#Host">Host</a></li><li><a href="#Context">Context</a></li><li><a href="#Valves">Valves</a></li><li><a href="#Realms">Realms</a></li><li><a href="#Manager">Manager</a></li></ol></li><li><a href="#System_Properties">System Properties</a></li><li><a href="#web.xml">web.xml</a></li><li><a href="#General">General</a></li></ul>
</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>
    <p>Tomcat is configured to be reasonably secure for most use cases by
    default. Some environments may require more, or less, secure configurations.
    This page is to provide a single point of reference for configuration
    options that may impact security and to offer some commentary on the
    expected impact of changing those options. The intention is to provide a
    list of configuration options that should be considered when assessing the
    security of a Tomcat installation.</p>

    <p><strong>Note</strong>: Reading this page is not a substitute for reading
    and understanding the detailed configuration documentation. Fuller
    descriptions of these attributes may be found in the relevant documentation
    pages.</p>
  </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Non-Tomcat settings"><!--()--></a><a name="Non-Tomcat_settings"><strong>Non-Tomcat settings</strong></a></font></td></tr><tr><td><blockquote>
    <p>Tomcat configuration should not be the only line of defense. The other
    components in the system (operating system, network, database, etc.) should
    also be secured.</p>
    <p>Tomcat should not be run under the root user. Create a dedicated user for
    the Tomcat process and provide that user with the minimum necessary
    permissions for the operating system. For example, it should not be possible
    to log on remotely using the Tomcat user.</p>
    <p>File permissions should also be suitable restricted. Taking the Tomcat
    instances at the ASF as an example (where auto-deployment is disabled and
    web applications are deployed as exploded directories), the standard
    configuration is to have all Tomcat files owned by root with group Tomcat
    and whilst owner has read/write priviliges, group only has read and world
    has no permissions. The exceptions are the logs, temp and work directory
    that are owned by the Tomcat user rather than root. This means that even if
    an attacker compromises the Tomcat process, they can't change the
    Tomcat configuration, deploy new web applications or modify existing web
    applications. The Tomcat process runs with a umask of 007 to maintain these
    permissions.</p>
    <p>At the network level, consider using a firewall to limit both incoming
    and outgoing connections to only those connections you  expect to be
    present.</p>
  </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Default web applications"><!--()--></a><a name="Default_web_applications"><strong>Default web applications</strong></a></font></td></tr><tr><td><blockquote>
    <p>Tomcat ships with a number of web applications by default.
    Vulnerabilities have been discovered in these applications in the past.
    Applications that are not required should be removed so the system will not
    be at risk if another vulnerability is discovered.</p>
  </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Security manager"><!--()--></a><a name="Security_manager"><strong>Security manager</strong></a></font></td></tr><tr><td><blockquote>
    <p>Enabling the security manager causes web applications to be run in a
    sandbox, significantly limiting a web application's ability to perform
    malicious actions such as calling System.exit(), establishing network
    connections or accessing the file system outside of the web application's
    root and temporary directories. However, it should be noted that there are
    some malicious actions, such as triggering high CPU consumption via an
    infinite loop, that the security manager cannot prevent.</p>

    <p>Enabling the security manager is usually done to limit the potential
    impact, should an attacker find a way to compromise a trusted web
    application . A security manager may also be used to reduce the risks of
    running untrusted web applications (e.g. in hosting environments) but it
    should be noted that the security manager only reduces the risks of
    running untrusted web applications, it does not eliminate them. If running
    multiple untrusted web applications, it is recommended that each web
    application is deployed to a separate Tomcat instance (and ideally separate
    hosts) to reduce the ability of a malicious web application impacting the
    availability of other applications.</p>

    <p>Tomcat is tested with the security manager enabled; but the majority of
    Tomcat users do not run with a security manager, so Tomcat is not as well
    user-tested in this configuration. There have been, and continue to be,
    bugs reported that are triggered by running under a security manager.</p>

    <p>The restrictions imposed by a security manager are likely to break most
    applications if the security manager is enabled. The security manager should
    not be used without extensive testing. Ideally, the use of a security
    manager should be introduced at the start of the development cycle as it can
    be time-consuming to track down and fix issues caused by enabling a security
    manager for a mature application.</p>
  </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="server.xml"><strong>server.xml</strong></a></font></td></tr><tr><td><blockquote>
    <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="server.xml/General"><strong>General</strong></a></font></td></tr><tr><td><blockquote>
      <p>The default server.xml contains a large number of comments, including
      some example component definitions that are commented out. Removing these
      comments makes it considerably easier to read and comprehend
      server.xml.</p>
      <p>If a component type is not listed, then there are no settings for that
      type that directly impact security.</p>
    </blockquote></td></tr></table>

    <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Server"><strong>Server</strong></a></font></td></tr><tr><td><blockquote>
      <p>Setting the <strong>port</strong> attribute to <code>-1</code> disables
      the shutdown port.</p>
      <p>If the shutdown port is not disabled, a strong password should be
      configured for <strong>shutdown</strong>.</p>
    </blockquote></td></tr></table>

    <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Listeners"><strong>Listeners</strong></a></font></td></tr><tr><td><blockquote>
      <p>The APR Lifecycle Listener is not stable if compiled on Solaris using
      gcc. If using the APR/native connector on Solaris, compile it with the
      Sun Studio compiler.</p>

      <p>The Security Listener should be enabled and configured as appropriate.
      </p>
    </blockquote></td></tr></table>

    <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Connectors"><strong>Connectors</strong></a></font></td></tr><tr><td><blockquote>
      <p>By default, an HTTP and an AJP connector are configured. Connectors
      that will not be used should be removed from server.xml.</p>

      <p>The <strong>address</strong> attribute may be used to control which IP
      address the connector listens on for connections. By default, the
      connector listens on all configured IP addresses.</p>

      <p>The <strong>allowTrace</strong> attribute may be used to enable TRACE
      requests which can be useful for debugging. Due to the way some browsers
      handle the response from a TRACE request (which exposes the browser to an
      XSS attack), support for TRACE requests is disabled by default.</p>

      <p>The <strong>maxPostSize</strong> attribute controls the maximum size
      of a POST request that will be parsed for parameters. The parameters are
      cached for the duration of the request so this is limited to 2MB by
      default to reduce exposure to a DOS attack.</p>

      <p>The <strong>maxSavePostSize</strong> attribute controls the saving of
      POST requests during FORM and CLIENT-CERT authentication. The parameters
      are cached for the duration of the authentication (which may be many
      minutes) so this is limited to 4KB by default to reduce exposure to a DOS
      attack.</p>

      <p>The <strong>maxParameterCount</strong> attribute controls the
      maximum number of parameter and value pairs (GET plus POST) that can
      be parsed and stored in the request. Excessive parameters are ignored.
      If you want to reject such requests, configure a
      <a href="config/filter.html">FailedRequestFilter</a>.</p>

      <p>The <strong>xpoweredBy</strong> attribute controls whether or not the
      X-Powered-By HTTP header is sent with each request. If sent, the value of
      the header contains the Servlet and JSP specification versions, the full
      Tomcat version (e.g. Apache Tomcat/7.0.0), the name of the JVM vendor and
      the version of the JVM. This header is disabled by default. This header
      can provide useful information to both legitimate clients and attackers.
      </p>

      <p>The <strong>server</strong> attribute controls the value of the Server
      HTTP header. The default value of this header for Tomcat 4.1.x, 5.0.x,
      5.5.x, 6.0.x and 7.0.x is Apache-Coyote/1.1. This header can provide
      limited information to both legitimate clients and attackers.</p>

      <p>The <strong>SSLEnabled</strong>, <strong>scheme</strong> and
      <strong>secure</strong> attributes may all be independently set. These are
      normally used when Tomcat is located behind a reverse proxy and the proxy
      is connecting to Tomcat via HTTP or HTTPS. They allow Tomcat to see the
      SSL attributes of the connections between the client and the proxy rather
      than the proxy and Tomcat. For example, the client may connect to the
      proxy over HTTPS but the proxy connects to Tomcat using HTTP. If it is
      necessary for Tomcat to be able to distinguish between secure and
      non-secure connections received by a proxy, the proxy must use separate
      connectors to pass secure and non-secure requests to Tomcat. If the
      proxy uses AJP then the SSL attributes of the client connection are
      passed via the AJP protocol and separate connectors are not needed.</p>

      <p>The <strong>ciphers</strong> attribute controls the ciphers used for
      SSL connections. By default, the default ciphers for the JVM will be used.
      This usually means that the weak export grade ciphers will be included in
      the list of available ciphers. Secure environments will normally want to
      configure a more limited set of ciphers.</p>

      <p>The <strong>tomcatAuthentication</strong> attribute is used with the
      AJP connectors to determine if Tomcat should authenticate the user or if
      authentication can be delegated to the reverse proxy that will then pass
      the authenticated username to Tomcat as part of the AJP protocol.</p>

      <p>The <strong>allowUnsafeLegacyRenegotiation</strong> attribute provides
      a workaround for
      <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
      CVE-2009-3555</a>, a TLS man in the middle attack. This workaround applies
      to the BIO connector. It is only necessary if the underlying SSL
      implementation is vulnerable to CVE-2009-3555. For more information on the
      current state of this vulnerability and the work-arounds available see the
      <a href="http://tomcat.apache.org/security-7.html">Tomcat 7 security
      page</a>.</p>

      <p>The <strong>requiredSecret</strong> attribute in AJP connectors
      configures shared secret between Tomcat and reverse proxy in front of
      Tomcat. It is used to prevent unauthorized connections over AJP protocol.</p>
    </blockquote></td></tr></table>

    <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Host"><strong>Host</strong></a></font></td></tr><tr><td><blockquote>
      <p>The host element controls deployment. Automatic deployment allows for
      simpler management but also makes it easier for an attacker to deploy a
      malicious application. Automatic deployment is controlled by the
      <strong>autoDeploy</strong> and <strong>deployOnStartup</strong>
      attributes. If both are <code>false</code>, only Contexts defined in
      server.xml will be deployed and any changes will require a Tomcat restart.
      </p>

      <p>In a hosted environment where web applications may not be trusted, set
      the <strong>deployXML</strong> attribute to <code>false</code> to ignore any
      context.xml packaged with the web application that may try to assign
      increased privileges to the web application. </p>
    </blockquote></td></tr></table>

    <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Context"><strong>Context</strong></a></font></td></tr><tr><td><blockquote>
      <p>This applies to <a href="config/context.html">Context</a>
      elements in all places where they can be defined:
      <code>server.xml</code> file,
      default <code>context.xml</code> file,
      per-host <code>context.xml.default</code> file,
      web application context file in per-host configuration directory
      or inside the web application.</p>

      <p>The <strong>crossContext</strong> attribute controls if a context is
      allowed to access the resources of another context. It is
      <code>false</code> by default and should only be changed for trusted web
      applications.</p>

      <p>The <strong>privileged</strong> attribute controls if a context is
      allowed to use container provided servlets like the Manager servlet. It is
      <code>false</code> by default and should only be changed for trusted web
      applications.</p>

      <p>The <strong>allowLinking</strong> attribute controls if a context is
      allowed to use linked files. If enabled and the context is undeployed, the
      links will be followed when deleting the context resources. To avoid this
      behaviour, use the <strong>aliases</strong> attribute. Changing this
      setting from the default of <code>false</code> on case insensitive
      operating systems (this includes Windows) will disable a number of
      security measures and allow, among other things, direct access to the
      WEB-INF directory.</p>
    </blockquote></td></tr></table>

    <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Valves"><strong>Valves</strong></a></font></td></tr><tr><td><blockquote>
      <p>It is strongly recommended that an AccessLogValve is configured. The
      default Tomcat configuration includes an AccessLogValve. These are
      normally configured per host but may also be configured per engine or per
      context as required.</p>

      <p>Any administrative application should be protected by a
      RemoteAddrValve. (Note that this Valve is also available as a Filter.)
      The <strong>allow</strong> attribute should be used to limit access to a
      set of known trusted hosts.</p>

      <p>The default ErrorReportValve includes the Tomcat version number in the
      response sent to clients. To avoid this, custom error handling can be
      configured within each web application. Alternatively, the version number
      can be changed by creating the file
      CATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties with
      content as follows:</p>
      <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
server.info=Apache Tomcat/7.0.x
      </pre></td><td bgcolor="#023264" width="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
      <p>Modify the values as required. Note that this will also change the version
      number reported in some of the management tools and may make it harder to
      determine the real version installed. The CATALINA_HOME/bin/version.bat|sh
      script will still report the version number.</p>

      <p>The default ErrorReportValve can display stack traces and/or JSP
      source code to clients when an error occurs. To avoid this, custom error
      handling can be configured within each web application.</p>
    </blockquote></td></tr></table>

    <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Realms"><strong>Realms</strong></a></font></td></tr><tr><td><blockquote>
      <p>The MemoryRealm is not intended for production use as any changes to
      tomcat-users.xml require a restart of Tomcat to take effect.</p>

      <p>The JDBCRealm is not recommended for production use as it is single
      threaded for all authentication and authorization options. Use the
      DataSourceRealm instead.</p>

      <p>The UserDatabaseRealm is not intended for large-scale installations. It
      is intended for small-scale, relatively static environments.</p>

      <p>The JAASRealm is not widely used and therefore the code is not as
      mature as the other realms. Additional testing is recommended before using
      this realm.</p>

      <p>By default, the realms do not implement any form of account lock-out.
      This means that brute force attacks can be successful. To prevent a brute
      force attack, the chosen realm should be wrapped in a LockOutRealm.</p>
    </blockquote></td></tr></table>

    <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Manager"><strong>Manager</strong></a></font></td></tr><tr><td><blockquote>
      <p>The manager component is used to generate session IDs.</p>

      <p>The default <strong>entropy</strong> value has been shown to generate predictable values
      under certain conditions. For more secure session generation, this should
      be set to a long string. This is done automatically if the APR/native
      library is installed; a random value will be obtained from the APR/native
      library.</p>

      <p>The class used to generate random session IDs may be changed with
      the <strong>randomClass</strong> attribute.</p>

      <p>The length of the session ID may be changed with the
      <strong>sessionIdLength</strong> attribute.</p>
    </blockquote></td></tr></table>
  </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="System Properties"><!--()--></a><a name="System_Properties"><strong>System Properties</strong></a></font></td></tr><tr><td><blockquote>
    <p>Setting <strong>org.apache.catalina.connector.RECYCLE_FACADES</strong>
    system property to <code>true</code> will cause a new facade object to be
    created for each request. This reduces the chances of a bug in an
    application exposing data from one request to another.</p>

    <p>The <strong>
    org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH</strong> and
    <strong>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</strong>
    system properties allow non-standard parsing of the request URI. Using
    these options when behind a reverse proxy may enable an attacker to bypass
    any security constraints enforced by the proxy.</p>

    <p>The <strong>
    org.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER
    </strong> system property has security implications if disabled. Many user
    agents, in breach of RFC2616, try to guess the character encoding of text
    media types when the specification-mandated default of ISO-8859-1 should be
    used. Some browsers will interpret as UTF-7 a response containing characters
    that are safe for ISO-8859-1 but trigger an XSS vulnerability if interpreted
    as UTF-7.</p>
  </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="web.xml"><strong>web.xml</strong></a></font></td></tr><tr><td><blockquote>
    <p>This applies to the default <code>conf/web.xml</code> file and
    <code>WEB-INF/web.xml</code> files in web applications if they define
    the components mentioned here.</p>

    <p>The <a href="default-servlet.html">DefaultServlet</a> is configured
    with <strong>readonly</strong> set to
    <code>true</code>. Changing this to <code>false</code> allows clients to
    delete or modify static resources on the server and to upload new
    resources. This should not normally be changed without requiring
    authentication.</p>

    <p>The DefaultServlet is configured with <strong>listings</strong> set to
    <code>false</code>. This isn't because allowing directory listings is
    considered unsafe but because generating listings of directories with
    thousands of files can consume significant CPU leading to a DOS attack.
    </p>

    <p><a href="config/filter.html">FailedRequestFilter</a>
    can be configured and used to reject requests that had errors during
    request parameter parsing. Without the filter the default behaviour is
    to ignore invalid or excessive parameters.</p>
  </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="General"><strong>General</strong></a></font></td></tr><tr><td><blockquote>
    <p>BASIC and FORM authentication pass user names and passwords in clear
    text. Web applications using these authentication mechanisms with clients
    connecting over untrusted networks should use SSL.</p>

    <p>The session cookie for a session with an authenticated user are nearly
    as useful as the user's password to an attacker and in nearly all
    circumstances should be afforded the same level of protection as the
    password itself. This usually means authenticating over SSL and continuing
    to use SSL until the session ends.</p>
  </blockquote></td></tr></table></td></tr><tr class="noPrint"><td width="20%" valign="top" nowrap class="noPrint"></td><td width="80%" valign="top" align="left"><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="comments_section" id="comments_section"><strong>Comments</strong></a></font></td></tr><tr><td><blockquote><p class="notice"><strong>Notice: </strong>This comments section collects your suggestions
              on improving documentation for Apache Tomcat.<br><br>
              If you have trouble and need help, read
              <a href="http://tomcat.apache.org/findhelp.html">Find Help</a> page
              and ask your question on the tomcat-users
              <a href="http://tomcat.apache.org/lists.html">mailing list</a>.
              Do not ask such questions here. This is not a Q&amp;A section.<br><br>
              The Apache Comments System is explained <a href="/tomcat-7.0-doc/comments.html">here</a>.
              Comments may be removed by our moderators if they are either
              implemented or considered invalid/off-topic.</p><script type="text/javascript"><!--//--><![CDATA[//><!--
              var comments_shortname = 'tomcat';
              var comments_identifier = 'http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html';
              (function(w, d) {
                  if (w.location.hostname.toLowerCase() == "tomcat.apache.org") {
                      d.write('<div id="comments_thread"><\/div>');
                      var s = d.createElement('script');
                      s.type = 'text/javascript';
                      s.async = true;
                      s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
                      (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
                  }
                  else {
                      d.write('<div id="comments_thread"><strong>Comments are disabled for this page at the moment.<\/strong><\/div>');
                  }
              })(window, document);
              //--><!]]></script></blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr noshade size="1"></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font color="#525D76" size="-1"><em>
        Copyright &copy; 1999-2013, Apache Software Foundation
        </em></font></div></td></tr></table></body></html>