Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 309211 - Tomcat-6 issues
Summary: Tomcat-6 issues
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Java team
Depends on:
Blocks: 322979
  Show dependency tree
Reported: 2010-03-13 00:21 UTC by Paul Davis
Modified: 2012-12-07 17:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Paul Davis 2010-03-13 00:21:23 UTC
There seem to be a couple of issues with securing the manager / host-manager.

I believe that the docBase for both (in /etc/tomcat-6/Catalina/localhost) should be catalina.base (not .home) if multiple webapp instantiations are required. Of course, this issues the warning that the context file within the deployed app will be ignored (and thus should probably be deleted to remove the warning).

Also if one wishes to use Digest authentication, then not only server.xml Realm needs digest added and set to MD5 and in each of the web.xml login-config's auth-method needs to be modified (and digest set to MD5), but also the error-page section should be remarked out (otherwise the appropriate WWW-Authenticate: Digest realm, nonce, etc. will not be generated ... of course this then removes the nice explanation 401).

A shell script file to generate the pre-digested passwords consisting of 'source /etc/conf.d/tomcat-6' followed by 'java -cp ${CATALINA_LIBDIR}/catalina.jar:${CATALINA_HOME}/bin/bootstrap.jar org.apache.catalina.realm.RealmBase -a MD5 $1' can be used to create the additional approved users to tomcat-users.xml in the appropriate password form username:domainname:port:password to replace the password="" for each of the manager,admin roles.

Hopefully by doing so this will harden Tomcat authentication for each of the instantiations (however if distinct roles are needed for each instance, then both the tomcat-users.xml and web.xml role-names should be make unique).

Nothing critical, just a few workarounds/tips I ended up needing to do for my installation.

Reproducible: Always
Comment 1 Ralph Sennhauser (RETIRED) gentoo-dev 2012-12-07 17:57:24 UTC
As of the rewrite the instance manager script writes the configuration files. It was a deliberate decision to go with defaults very close to upstreams. A warning is issued that this favors the demo aspect.

If you want to share tips on hardening Tomcat on Gentoo me thinks would be the right place.

Thanks for your report.