Document toolboxDocument toolbox

Harden Tomcat

This article describes how to harden your Tomcat installation. The examples applies to Apache Tomcat 8.x. 

Step-by-step instructions

Tomcat version 9.0.76 or higher is required to support the Rate limit filter. The filter can be used for older Prime/Identity Manager versions as well if Tomcat is updated to a supported version.

To prevent "Denial of Service" (DoS) attacks, a "Rate limit filter" can be added to web.xml in the Tomcat installation.

In Smart ID Docker containers it will be added automatically.

The filter can be added to web.xml for each application if adjusting the settings individually is needed, instead of having a global setting valid for all applications. However, it is easier to maintain in one location.

  1. Configure the filter in Tomcat/conf/web.xml. See an example below:

Example: Rate limit filter
<!-- Filter to prevent Denial of Service (DoS) and Brute Force attacks by limiting the number of requests that are allowed from a single IP address during a certain time span (time bucket) --> <filter> <filter-name>RateLimitFilter global</filter-name> <filter-class>org.apache.catalina.filters.RateLimitFilter</filter-class> <init-param> <!-- The number of requests that are allowed in a time bucket. Default is 300. --> <param-name>bucketRequests</param-name> <param-value>200</param-value> </init-param> <init-param> <!-- The number of seconds in a time bucket. Default is 60. --> <param-name>bucketDuration</param-name> <param-value>60</param-value> </init-param> </filter> <filter-mapping> <filter-name>RateLimitFilter global</filter-name> <url-pattern>*</url-pattern> </filter-mapping>
  1. Go to the $tomcat/conf folder

  2. Modify server.xml by using a text editor.

  3. Add the following to Connector port:

    Server =" "

    Example:

    Example: Remove server banner

    <Connector port="8080" protocol="HTTP/1.1"connectionTimeout="20000" Server =" " redirectPort="8443" />

To enable TLS/SSL, add a connector for port 443 to the Tomcat configuration:

  1. Go to the $tomcat/conf folder

  2. Modify server.xml by using a text editor.

  3. Add the following content:

For more information, see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html. 

Even if you have an http connector, for example in port 8080, it will redirect to the configured ssl port. To enforce HTTPS, do the following:

  1. Go to the $tomcat/conf folder

  2. Modify web.xml with a text editor.

  3. Add the following before the </web-app> syntax:

It is possible to steal or manipulate web application session and cookies without having a secure cookie. Here "secure" is a flag which is injected in the response header.

  1. Add this line in the session-config section of the web.xml file:

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions