9.1 Starting Tomcat with Security Manager

Information

Configure applications to run in a sandbox using the Security Manager. The Security Manager restricts what classes Tomcat can access thus protecting your server from mistakes, Trojans, and malicious code.

Rationale:

By running Tomcat with the Security Manager, applications are run in a sandbox which can prevent untrusted code from accessing files on the file system.

Solution

The security policies implemented by the Java SecurityManager are configured in the $CATALINA_HOME/conf/catalina.policy file. Once you have configured the catalina.policy file for use with a SecurityManager, Tomcat can be started with a SecurityManager in place by using the --security option:

On Unix:

$ $CATALINA_HOME/bin/catalina.sh start -security

On Windows:

C:> %CATALINA_HOME%bincatalina start -security

Default Value:

By default the -security option is not utilized.

References:

https://tomcat.apache.org/tomcat-8.0-doc/security-manager-howto.html

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|3.1, CSCv7|5.1

Plugin: Unix

Control ID: 9814fb9459251aee4b459bcb2e71889cf18db4227ac5d324be232b19e539ddd9