Information
Tomcat implements JASPIC 1.1 Maintenance Release B (JSR 196). The implementation is primarily intended to enable the integration of 3rd party JASPIC authentication implementations with Tomcat.
JASPIC may be configured dynamically by an application or statically via the $CATALINA_BASE/conf/jaspic-providers.xml configuration file. It is recommended that access to this file properly protect from unauthorized changes.
Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat's security policy.
Solution
Perform the following to restrict access to $CATALINA_HOME/conf/jaspic-providers.xml
- Set the ownership of the $CATALINA_HOME/conf/jaspic-providers.xml file to tomcat_admin:tomcat # chown tomcat_admin:tomcat $CATALINA_HOME/conf/jaspic-providers.xml
- Set the permissions for the $CATALINA_HOME/conf/jaspic-providers.xml file to 600 # chmod 600 $CATALINA_HOME/conf/jaspic-providers.xml