4.15 Restrict access to jaspic-providers.xml

Information

Tomcat implements JASPIC 1.1 Maintenance Release B (JSR 196). The implementation is primarily intended to enable the integration of 3rd party JASPIC authentication implementations with Tomcat.

JASPIC may be configured dynamically by an application or statically via the $CATALINA_BASE/conf/jaspic-providers.xml configuration file. It is recommended that access to this file properly protect from unauthorized changes.

Rationale:

Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat's security policy.

Solution

Perform the following to restrict access to $CATALINA_HOME/conf/jaspic-providers.xml.

Set the ownership of the $CATALINA_HOME/conf/jaspic-providers.xml file to tomcat_admin:tomcat.

# chown tomcat_admin:tomcat $CATALINA_HOME/conf/jaspic-providers.xml

Set the permissions for the $CATALINA_HOME/conf/jaspic-providers.xml file to 600.

# chmod 600 $CATALINA_HOME/conf/jaspic-providers.xml

Default Value:

The default permissions of jaspic-providers.xml are 600.

See Also

https://workbench.cisecurity.org/files/4103