Tomcat Server Security Assessment Guide: Configuration Review & Hardening

Listen to this Post

Featured Image
Apache Tomcat is a widely used web server and servlet container that requires proper security configuration to prevent vulnerabilities. Below is a comprehensive guide to assessing and hardening Tomcat servers.

You Should Know:

1. Common Tomcat Misconfigurations

  • Default Credentials: Tomcat often ships with default usernames (tomcat, admin) and weak passwords.
  • Unsecured Manager App: The `/manager/html` and `/host-manager` interfaces may be exposed without authentication.
  • Verbose Error Messages: Revealing stack traces can leak sensitive information.
  • Unrestricted File Uploads: Poorly configured web apps may allow malicious file uploads.

2. Essential Security Checks

Verify Tomcat Configuration Files

  • Check `server.xml` for insecure connectors:
    <!-- Ensure SSL is enforced -->
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
    <Certificate certificateKeystoreFile="conf/keystore.jks"
    type="RSA" />
    </SSLHostConfig>
    </Connector>
    
  • Disable directory listing in web.xml:
    <init-param>
    <param-name>listings</param-name>
    <param-value>false</param-value>
    </init-param>
    

Check for Default Users

  • Review `tomcat-users.xml` and remove default accounts:
    <!-- Remove or change default users -->
    <user username="admin" password="StrongPassword@123" roles="manager-gui,admin-gui"/>
    

Disable Unnecessary Services

  • Remove or secure the Manager and Host Manager apps:
    mv /usr/share/tomcat/webapps/manager /opt/secure_backup/
    mv /usr/share/tomcat/webapps/host-manager /opt/secure_backup/
    

3. Hardening Steps

Enable TLS Encryption

  • Generate a keystore and enforce HTTPS:
    keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat/conf/keystore.jks
    
  • Modify `server.xml` to enforce SSL:
    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
    scheme="https" secure="true" 
    keystoreFile="/opt/tomcat/conf/keystore.jks"
    keystorePass="YourStrongPassword"/>
    

Implement Role-Based Access Control (RBAC)

  • Define roles in tomcat-users.xml:
    <role rolename="admin"/>
    <role rolename="manager"/>
    <user username="secadmin" password="SecurePass!2024" roles="admin,manager"/>
    

Disable Unused Protocols

  • Remove risky protocols in server.xml:
    <Connector port="8080" protocol="HTTP/1.1" 
    redirectPort="8443" 
    server=" " /> <!-- Hides server version -->
    

Enable Security Headers

  • Add headers in web.xml:
    <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
    <param-name>antiClickJackingOption</param-name>
    <param-value>SAMEORIGIN</param-value>
    </init-param>
    </filter>
    

4. Automated Security Scanning

  • Use Nmap to check for open ports:
    nmap -sV -p 8080,8443 <tomcat_server_ip>
    
  • Run Nikto for web vulnerability scanning:
    nikto -h http://<tomcat_server_ip>:8080
    

What Undercode Say:

Tomcat security is critical for protecting web applications from attacks. Misconfigurations can lead to data breaches, RCE, and unauthorized access. Follow these best practices:
– Always change default credentials.
– Disable unnecessary services.
– Enforce HTTPS and disable weak protocols.
– Regularly audit configurations with automated tools.

Prediction:

As cloud adoption grows, Tomcat misconfigurations will remain a leading cause of breaches. Expect increased automation in security scanning tools to detect weak setups.

Expected Output:

A hardened Tomcat server with:

  • Disabled default apps (/manager, /host-manager)
  • Enforced TLS encryption
  • Strict RBAC policies
  • No verbose error leaks
  • Regular security scans

Relevant URLs:

IT/Security Reporter URL:

Reported By: Vasileiadis Anastasios – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram