www.bonsaiframework.com
Page tree

Versions Compared

Old Version 6

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 7

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In the BonsaiFramework we front Apache in front of Tomcat, as such we do not need 8080. Edit /opt/apache/tomcat.0/conf/server.xml and comment out 8080,

Code Block
languagehtml/xml
<!--
<Connector port="8280" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8643" />
-->

Clear Text Passwords

When configuring resources such as JDBC, Tomcat only supports clear text username and password in server.xml. By default, if untarred per the BonsaiFramework instructions, server.xml will only be readable by serveradmin.

Typical encryption or obfuscation generally do not provide much addition protection. These points and opinions are explained in detail by OSWASP and The Center for Internet Security.

Note

I actually can think of a solution that uses the system's own hardware and a password to bind the encrypted value to the system.

References

http://blogs.mulesoft.org/is-your-tomcat-secure/ - looks like a good lead.

...