Table of Contents
Changes to web.xml configuration file
Secure Application Files in Tomcat
|
Chapter 1 |
Introduction
Introduction to Tomcat:
WebSphere has gained significant market share in Web application development space. A powerful, easy to use, and free alternative to WebSphere is Apaches Tomcat. Tomcat is open source and is the reference implementation for Sun servlet standard. Tomcat has proven itself as production quality and is used by many companies. Tomcat installation on Window servers is an automated and easy process however the default installation places Tomcat into development mode. The advantage of development mode is that changes to JSPs, class, and JAR files are automatically incorporated at runtime without the need to restart the application server. The drawback is that performance suffers in development mode. Once you have created your WOW application and are ready to serve it to the public, the following steps should be taken to optimize Tomcat.
Step 1
Increase Maximum Memory Used
Tomcat ships with the maximum amount of memory set to 64MB, which is not large enough to operate most large web applications. We recommend increasing the maximum amount of memory to 80% of the total RAM available on your server. This can be done as shown below.
First, open Tomcat by going to the Start Menu-Programs-Apache Tomcat-Start Tomcat.
After Tomcat has started you should see the Tomcat icon in the lower right hand corner as shown below.
To access the Tomcat properties allowing changes to the maximum memory, right click on the icon and select properties. This is also the way to stop the server by clicking on Shutdown: Tomcat instead of properties.
The properties screen below has the Java VM tab selected. Inside the Java Options we will add the increased min and max memory allocation settings.
The minimum value can be anything but should start with at least 64-100MB. The maximum memory should be up to 80% of your computers RAM. For example, if you have 512MB of RAM then you should set the maximum memory to around 400MB. To change the memory specifications you need to add this code to the Java Options text area:
-Xms100m -Xmx400m
Step 2
Changes to web.xml configuration file:
The web.xml is the document that defines default values for all web applications loaded into each instance of Tomcat. As each application is deployed, this file is processed, followed by the /WEB-INF/web.xml deployment descriptor from your own applications. The web.xml is located in Apache Software Foundation-Tomcat-conf folder shown below.
Open the web.xml by right clicking and select open with (NotePad or Wordpad or any text editor.) Now in the document we want to find the JSP Servlet Tag. This is located a quarter of the way down the page. Add two initial parameters - the reloading parameter and the development parameter.
The reloading and development parameters are automatically set to true when Tomcat is installed. The development init-parameter will check for JSP modification on every access and reload. Set both of these parameters in the web.xml document to false so Tomcat will not look for or reload changes to JSPs on every access.
To add the init-parameters you will add this code:
<init-param>
<param-name>development</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>reloading</param-name>
<param-value>false</param-name>
</init-param>
In summary, Tomcat is a cost-efficient tool to hosting Web applications. Now that you have made the above simple changes, Tomcat will run much faster and handle more complex workloads.
|
Chapter 2 |
Tomcat Administrator and Manager Applications
Administering Tomcat:
Tomcat also has its own administration, which can be helpful and accessed through the Tomcat server.
Now we are going to show some of the helpful and powerful administration applications that Tomcat ships with such as Tomcat Administrator and Tomcat Manager.
To access both of these you can either go through the start menu under Apache Tomcat folder or you can open a browser and type go to the localhost such as http://localhost:80 with the port that you specified in the installation of Tomcat.
Tomcat allows administration (start, stop, destroy, manage, create etc) via a web application. The Tomcat Administration Application allows you to see the server information, edit connections, edit users, groups, resources and change the main settings of the webserver. This application runs using the userid and password supplied when you installed Tomcat.
The userid and pwd are defined in tomcat at:
..../config/tomcat_users.xml as shown below.
<?xml version=1.0 encoding=utf-8 ?>
- <tomcat-users>
<role rolename=tomcat />
<role rolename=role1 />
<role rolename=manager />
<role rolename=admin />
<user username=tomcat password=tomcat roles=tomcat />
<user username=role1 password=tomcat roles=role1 />
<user username=both password=tomcat roles=tomcat,role1 />
<user username=admin password=admin roles=admin,manager />
</tomcat-user>
These are set when you first install Tomcat on to your machine when the installation asks for username and password. You can also change the username and password and add new users in Tomcat Administration Application.
Tomcat also ships with the Tomcat Manager. This is an application that will allow you to edit, start, and stop applications dynamically without restarting the Tomcat. It also shows current applications and a few other options, which you can learn about by clicking on the Manager Help Link Shown below.
These are a few more tools to help you understand and optimize Tomcat for your Web Applications and to use WOW.
|
Chapter 3 |
Changing Tomcat Port Settings
Changing Port Settings:
When you install Apache Tomcat it defaults the port to 8080. The ports are set in the ..Tomcat/conf/server.xml document. To adjust the port being used right click and open with notepad or any other text editor. After the document is open scroll down around half way looking for the connecter tag shown below and change the port number to a new port number (Usually either 8080 or 80). Then save the newly changed server.xml file and restart Tomcat.
|
Chapter 4 |
SeCURING APPLICATIONS FILES IN Tomcat
Secure Application Files in Tomcat:
When installing a
new web application such as WOW to Tomcat, Tomcat automatically allows people
to view the directory listing of all files inside of the webapps folder. An
example of this is the sharedFiles folder in the webapps
folder on the hard drive shown below.
By Default the sharedFiles
folder includes three directories: one
directory contains sample images and another directory contains sample MS Word
Documents. These folders are for
example purpose only and may be deleted or added upon. There is also a directory labeled WEB-INF. This folder contains a file called
web.xml. Web.xml allows WOW to be set up
to show its contents over the Internet or to be set so that those files cannot
be seen over the Internet. Below is an example of connecting to the sharedFiles
directory through Tomcat.
This creates a security
problem, as the whole Internet will be able to see our code and mess around
with our files. To disable this feature you need to go in Apache Tomcat file
structure <Apache Tomcat>/conf/web.xml file. In this web.xml file shown below there is an
initial parameter called listing that is automatically set to true. We want to
change that to false so that your files cannot be directly accessed and seen
over the Internet.
Now that listings has been
set to false users will not be able to see our files by connecting through
Tomcat.
|
Chapter 5 |
Tomcat Security and SSL
SSL:
To set up SSL and other security features for Tomcat refer to the Apaches Tomcat site for SSL setup and optimization, http://jakarta.apache.org/tomcat
Other Security Considerations:
1. Make sure your have set proper userids and passwords for your Tomcat user file. This file is located at: ..../config/tomcat_users.xml
References
Tomcat: http://jakarta.apache.org/tomcat
PlanetJs WOW: http://www.planetjavainc.com