Securing Apache Tomcat for your Environment

A default Apache Tomcat installation is secure but each installation environment is different and may have additional security requirements. This presentation will examine the security configuration options available in Apache Tomcat, when to use them (and when not to use them) and the threats they might help mitigate. The rationale behind having resource passwords (eg for database access) in clear text in server.xml will also be discussed.

Session Detail


About Mark Thomas

Mark Thomas

Mark Thomas is a Senior Software Engineer with SpringSource. At SpringSource Mark leads the integration of Tomcat with tc Server and has also had a hand in the development and integration of the additional serviceability functionality.

Mark has been using and developing Apache Tomcat for more than five years. He became involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first bug, he started working his way through the remaining Tomcat bugs and is still going. Along the way, Mark became a Tomcat committer and PMC member, volunteered to be the Tomcat 4 release manager, created the Tomcat security pages, became a member of the ASF, joined the Apache Security Committee and is an Apache Commons PMC member where he contributes to Commons Pool, DBCP and Daemon. He also helps maintain the ASF's Bugzilla instances.

Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.

More About Mark »




© 2012 SpringSource, by VMWare & No Fluff, Just Stuff TM. All rights reserved. Java is a registered trademark of Oracle.