Information
Use the transport-guarantee attribute to ensure SSL protection when accessing the manager application.
Rationale:
By default when accessing the manager application, login information is sent over the wire in plain text. By setting the transport-guarantee within web.xml, SSL is enforced.
Note: This requires SSL to be configured.
Solution
Set <transport-guarantee> to CONFIDENTIAL in $CATALINA_HOME/webapps/manager/WEB-INF/web.xml:
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
<user-data-constraint>
</security-constraint>
Default Value:
By default this configuration is not present.
References:
https://www.owasp.org/index.php/Securing_tomcat