• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 400
  • Last Modified:

security risk using connection pool in Tomcat

I configured a pool connection using Tomcat 5.0. I used a single highly privileged database account for the connection pool and put plain username and password in server.xml file. Am I in security risk? If so, how do I fix it?
1 Solution
You sure have a security risk.
A. Make sure that the server is protected against unauthorized access from the internal network.
B. Disable or rename the Tomcat administration and management accounts.
C. Audit the database account actual connections.
D. In your application, sanitize all of the input to avoid SQL injection and other bad stuff.
E. Place a hardened Apache with mod_jk or a hardened IIS with isapi_redirect in front of the Tomcat server - look at the Tomcat documentation on specific instructions - or place an Apache reverse proxy with mod_security in front of Tomcat.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now