Summary:

This topic will talk about some simple steps that can be taken to secure information within Tomcat. The two configuration we will look at are httpOnly, custom 404 and 500 error messages pages.

 

Resolution:

HttpOnly

1. Tomcat 6.5 and later has this option turned on automatically. To ensure that it’s working, adding the configuration in is still a good idea.  This can be accomplished by editing the context.xml file located in the $CATALINA_BASE\conf folder (By default $CATALINA_BASE will be in a directory similar to C:\Program Files\Apache Software Foundation\Tomcat 7.0\).
2. <Context> will be the first line that is not commented out. Edit this line so that it looks like <Context path="/idashboards" useHttpOnly="true">
3. Save the file.
4. Restart Tomcat.

Custom 404 and 500 Error Messages

This will create a redirection page so that if the application is down or the user types in the wrong address the user will be forwarded to a page of your design. This helps secure the information that can be accessed from the error messages.

<welcome-file-list>

<welcome-file>index.jsp</welcome-file>

</welcome-file-list>

<error-page>

<error-code>404</error-code>

<location>/errors/404_Error.html</location>

</error-page>

<error-page>

<error-code>500</error-code>

<location>/errors/500_Error.html</location>

</error-page>

1. Locate the $CATALINA_BASE\webapps\idashboards\WEB-INF\web.xml file. (By default $CATALINA_BASE will be in a directory similar to C:\Program Files\Apache Software Foundation\Tomcat 7.0\).
2. Go to the very bottom of the file. Locate the following:
3. Below this section add the following:
4. Create a folder call 'errors' in the $CATALINA_BASE\webapps\idashboards directory.
5. Within that folder you will need to create the two html pages from above, '404_Error.html' and '500_Error.html': 
6. **Sample HTML**
    
   <html>
   <head>
   <meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">
   </head>
   <body>
   <div style="text-align: center;">
   <h1>ERROR 404</h1>
   You have reached this page in error. Please contact your iDashboards Administrator for assistance.<br>
   </div>
   </body>
   </html>
7. Copy contents and past into the 500_Error.html>
8. Change 404 (<h1>ERROR 404</h1>) to 500 (<h1>ERROR 500</h1>)
9. Save both files.
10. Repeat these steps in the 'idbalerts' directory, as necessary.
11. Restart Tomcat

Securing Tomcat "Root" Directory

For this we will be using some of the same methods but instead of pointing to the 404 and 500 pages we are going to redirect all traffic to iDashboards. 
 

<html>

  <head>

    <meta http-equiv="refresh" content="0;URL=idashboards/index.jsp">

  </head>

  <body>

  </body>

</html>

<display-name>Welcome to Tomcat</display-name>

<description>

Welcome to Tomcat

</description>

<error-page>

<error-code>404</error-code>

<location>/index.html</location>

</error-page>

<error-page>

<error-code>500</error-code>

<location>/index.html</location>

</error-page>

1. Delete everything except the WEB-INF directory under ROOT.
2. Create a file called "index.html" in the ROOT directory.
3. Copy the following HTML into index.html. This will redirect anyone that lands in the ROOT directory to iDashboards.
4. Go into the web.xml located in $CATALINA_BASE\ROOT\WEB-INF.
5. Locate the Welcome text.
6. Now following the above text add.
7. Restart Tomcat service

 Applies to:

• Tomcat 6.0 and later
• Enterprise
• X Platform
• Enterprise Suite