ApacheCon Europe 2012

Rhein-Neckar-Arena, Sinsheim, Germany

5–8 November 2012

Securing Apache Tomcat

Mark Thomas

Audience level:
Web Infrastructure


10 things every Tomcat administrator needs to think about to ensure their tomcat instances are securely configured and protected (as far as possible) against as yet undiscovered/unpublished security vulnerabilities.


A default Apache Tomcat installation is secure but each installation environment is different and may have additional security requirements. This presentation will examine the security configuration options available in Apache Tomcat, when to use them (and when not to use them) and the threats they might help mitigate. The rationale behind having resource passwords (eg for database access) in clear text in server.xml will also be discussed.