9.1 Starting Tomcat with Security Manager

Information

Configure applications to run in a sandbox using the Security Manager. The Security Manager restricts what classes Tomcat can access thus protecting your server from mistakes, Trojans, and malicious code.

Rationale:

By running Tomcat with the Security Manager, applications are run in a sandbox which can prevent untrusted code from accessing files on the file system.

Solution

The security policies implemented by the Java SecurityManager are configured in the $CATALINA_HOME/conf/catalina.policy file. Once you have configured the catalina.policy file for use with a SecurityManager, Tomcat can be started with a SecurityManager in place by using the -security option:
On Unix:

$ $CATALINA_HOME/bin/catalina.sh start -security

On Windows:

C:> %CATALINA_HOME%bincatalina start -security

Default Value:

By default the -security option is not utilized.

See Also

https://workbench.cisecurity.org/benchmarks/11652

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: 38d78baca3fd285db4df2e002c29dff33b57dd293950b4ce699ef9de8d7eaf1b