Tomcat Webapp Security

Jason Brittain (eBay Inc.)
Average rating: ***..
(3.33, 12 ratings)

Apache Tomcat is a very popular web server and servlet container, with over 70% penetration in enterprise data centers today. Tomcat is featureful, agile, and well supported, and thus many webapps are developed for it today. While Tomcat has a great track record of having secure defaults, and having few security vulnerabilities, your webapp is a different codebase. How secure is your webapp written to be? How can the security of your webapp be improved? And, how secure is the combination of your webapp with your customized configuration Tomcat settings? This presentation will discuss these issues, and offer solutions that you can use in your own web applications and Tomcat installations.

HTTP Request Model Vulnerabilities
- Request Parameters

  • XSS
  • HTML Injection
  • SQL Injection
    - Request Headers
    - Request URI
    - Container-Level vs. Webapp-Level Filtering
    - How to Write Secure Webapps
    Scanning Tools and Remediation
    - Tools
    - Scan, Investigate Reported Vulnerabilities, Remediate, Re-scan
    HTTP Caching and Security
    - Browser Cache
    - Proxy Cache
    - Tomcat Cache
    Use HTTPS
    - Disable Insecure Key Lengths
    - Use v6.0.24 and Higher
    - sessionCacheSize and sessionTimeout
    - Configure Your Webapp to Require HTTPS
    Connector Hardening
    - Max Post Size
    - Max Http Header Size
    - Max Threads
    Java Security Manager
    - History
    - Current state
    - Defaults
    - Recommendation
    Webapp File Permissions
    Monitor for Announced Vulnerabilities and Upgrade
Photo of Jason Brittain

Jason Brittain

eBay Inc.

Jason is a co-author of Tomcat: The Definitive Guide, now in its
second edition, and has written some web articles for O’Reilly’s web site.

Jason is an Architect at MuleSoft Inc. on the Tcat Server product,
an enterprise Tomcat product that offers a centralized Tomcat administration,
diagnostics, and monitoring console for existing Tomcat installations.

Before joining the team at MuleSoft, Jason was Senior Architect at
Spigit, Inc. where he led a team of software engineers writing an idea
management and prediction markets social networking web application
for the enterprise. Before joining Spigit, Jason was a Senior
Principal Software Engineer for Orbital Sciences Corporation, working
at NASA’s Ames Research Center on the Kepler Space Telescope mission
(, where his software has helped discover five
confirmed extrasolar planets, so far.

Jason’s specialties include the Apache Tomcat servlet container, Java
software development, building social networking web applications,
Tomcat web application development and deployment, scalability and
fault tolerance, and Linux system administration. He has contributed
to several Apache Java projects, and has been an active open source
software developer for many years.

  • Intel
  • Microsoft
  • Google
  • Facebook
  • Rackspace Hosting
  • (mt) Media Temple, Inc.
  • ActiveState
  • CommonPlaces
  • DB Relay
  • FireHost
  • GoDaddy
  • HP
  • HTSQL by Prometheus Research
  • Impetus Technologies Inc.
  • Infobright, Inc
  • JasperSoft
  • Kaltura
  • Marvell
  • Mashery
  • NorthScale, Inc.
  • Open Invention Network
  • OpSource
  • Oracle
  • Parallels
  • PayPal
  • Percona
  • Qualcomm Innovation Center, Inc.
  • Rhomobile
  • Schooner Information Technology
  • Silicon Mechanics
  • SourceGear
  • Symbian
  • VoltDB
  • WSO2
  • Linux Pro Magazine

Sponsorship Opportunities

For information on exhibition and sponsorship opportunities at the conference, contact Sharon Cordesse at

Download the OSCON Sponsor/Exhibitor Prospectus

Media Partner Opportunities

Download the Media & Promotional Partner Brochure (PDF) for information on trade opportunities with O'Reilly conferences or contact mediapartners@

Press and Media

For media-related inquiries, contact Maureen Jennings at

OSCON Newsletter

To stay abreast of conference news and to receive email notification when registration opens, please sign up for the OSCON Newsletter (login required)

OSCON 2.0 Ideas

Have an idea for OSCON to share?

Contact Us

View a complete list of OSCON contacts