Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

security risk using connection pool in Tomcat

Posted on 2004-08-26
1
388 Views
Last Modified: 2010-04-20
I configured a pool connection using Tomcat 5.0. I used a single highly privileged database account for the connection pool and put plain username and password in server.xml file. Am I in security risk? If so, how do I fix it?
0
Comment
Question by:3v0luti0n
1 Comment
 
LVL 33

Accepted Solution

by:
shalomc earned 500 total points
ID: 11924612
Hey,
You sure have a security risk.
A. Make sure that the server is protected against unauthorized access from the internal network.
B. Disable or rename the Tomcat administration and management accounts.
C. Audit the database account actual connections.
D. In your application, sanitize all of the input to avoid SQL injection and other bad stuff.
E. Place a hardened Apache with mod_jk or a hardened IIS with isapi_redirect in front of the Tomcat server - look at the Tomcat documentation on specific instructions - or place an Apache reverse proxy with mod_security in front of Tomcat.

ShalomC
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question