{"id":93275,"date":"2024-10-06T11:58:51","date_gmt":"2024-10-06T03:58:51","guid":{"rendered":"https:\/\/version-2.com.sg\/?p=92684"},"modified":"2025-03-24T12:53:19","modified_gmt":"2025-03-24T04:53:19","slug":"apache-tomcat-security-best-practices","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2024\/10\/apache-tomcat-security-best-practices\/","title":{"rendered":"Apache Tomcat Security Best Practices"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"93275\" class=\"elementor elementor-93275\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-71ae5294 post-content elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"71ae5294\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4a899f&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1e9119cd\" data-id=\"1e9119cd\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4f04f8cb elementor-widget elementor-widget-text-editor\" data-id=\"4f04f8cb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>In this blog, we look at eight ways to improve your Apache Tomcat security hardening, ranging from basic best practices like not running your Tomcat as the root user, to more advanced tips like using realms to control resource access. At the end of the blog, we&#8217;ll wrap up with some final thoughts about how to secure Tomcat and then link to some related resources you should check out. Let&#8217;s dive in!<\/p><p><em>Editor&#8217;s Note: This blog was originally published on December 29, 2020 and was revised and updated with new content on September 3, 2024.\u00a0<\/em><\/p><h2 id=\"eight-tomcat-security-hardening-tips-01\">Why You Need to Secure Tomcat<\/h2><p>Apache Tomcat is a robust application server that includes many features available right out of the box. However, just because these features and settings are available right away doesn\u2019t mean that your Tomcat server is ready for production. Before you go to production, you need to perform thorough\u00a0tuning and security hardening to ensure your Tomcat server is secure.<\/p><p><a class=\"back-to-top\" href=\"https:\/\/www.openlogic.com\/blog\/apache-tomcat-security-best-practices#top\">Back to top<\/a><\/p><h2 id=\"how-to-keep-your-tomcat-secure-8-tomcat-security-hardening-tips\">How to Keep Your Tomcat Secure:\u00a08 Tomcat Security Hardening Tips\u00a0<\/h2><p>There are many ways to improve Apache Tomcat security, and this blog is no replacement for a thorough dive into the possible ways in which you can do so. However, the tips below are a good starting point for people interested in hardening their Tomcat server deployment.\u00a0<\/p><div><h3>1. Don\u2019t Run Tomcat as the Root User<\/h3><p class=\"p1\">The root or administrator account has access to everything in the file system.\u00a0It is best practice to create a separate account that has read, write, and execute access to the Tomcat installation directory and specific folders the application needs access to.\u00a0Grant this account minimum operating system permissions.\u00a0\u00a0<\/p><p class=\"p1\">Vulnerabilities are exposed periodically with Tomcat releases and updates to your application and any frameworks your application uses.\u00a0Fixes for these vulnerabilities are provided rapidly by the community, but it can give an attacker a small window of time to do something malicious.\u00a0<\/p><\/div><div><h3>2. Default Samples and Test Applications<\/h3><p>There are four web applications that come out of the box with Apache Tomcat:<\/p><ul><li><strong>docs<\/strong>: This is the documentation for Apache Tomcat.\u00a0This is a duplicate of the documentation you will find on\u00a0<a href=\"https:\/\/tomcat.apache.org\/\" target=\"_blank\" rel=\"noopener\">Apache Tomcat\u2019s website<\/a>.<\/li><li><strong>examples<\/strong>: This is servlet, JSP, and WebSocket examples along with the source code that runs those examples.<\/li><li><strong>manager<\/strong>: This is the Tomcat Web Application Manager application that enables you to administer the application server via a user interface.\u00a0\u00a0You need the role \u201cmanager-gui\u201d to access this application.<\/li><li><strong>host-manager<\/strong>: This is the Tomcat Virtual Host Manager is\u00a0a web application that allows users to manage virtual hosts.\u00a0\u00a0Virtual hosts allow you to deploy multiple websites (or domains) in single instance of a Tomcat server.\u00a0\u00a0The \u201cadmin-gui\u201d role is required to access this application.<\/li><\/ul><p>You can remove these four applications and still have a fully functional application server, but by default they are only accessible by the machine they are running on.\u00a0You can change this behavior in each application\u2019s META-INF\/context.xml (more on this later).\u00a0<\/p><p>The examples application does have some vulnerabilities (session manipulation) and should be removed from any production environment.\u00a0The docs application should be removed because it identifies to a potential attacker what application server and version you are running.\u00a0<\/p><p>The manager and host-manager applications can remain on the Tomcat instance, but these applications should be locked down by setting the proper permissions using roles in tomcat-users.xml and setting a very strict Remote Host or CIDR Valve in the applications META-INF\/context.xml file.\u00a0<\/p><\/div><div><h3>3. Set Your Tomcat Permissions Carefully<\/h3><p>The SecurityManager in Jakarta EE 11 has finally been removed, so you will not find a conf\/catalina.policy for Apache Tomcat versions 11 and greater.\u00a0This file controlled an application\u2019s permissions to internal Catalina jars and classes.\u00a0<\/p><p>If you are running a version of Tomcat prior to version 11, then a review of this file would be worthwhile.\u00a0Most of our customers do not touch this file, and fortunately the format of this policy file is self-documenting and easy to read.\u00a0If you compare the catalina.policy with the out of the box unmodified file, then you can identify any changes easily.<\/p><\/div><div><h3>4. Upgrade to Tomcat 11<\/h3><p class=\"p1\"><a href=\"https:\/\/www.openlogic.com\/blog\/tomcat-11-features-preview\">Apache Tomcat 11<\/a>\u00a0(currently in beta but we expect the GA release any day now) includes security enhancements and implements six specifications of Jakarta EE 11, which also includes additional enhancements to Tomcat including:<\/p><ul><li>Removing sensitive HTTP headers from TRACE requests<\/li><li>Mandatory HTTPS support<\/li><li>Updated HTTP RFC references to the latest versions<\/li><li>Examples and documentation web applications are only accessible from localhost by default as this might expose a cookie to an attacker.<\/li><li>rejectIllegalHeader\u00a0hard-code to true: We can either ignore illegal HTTP headers or send a 40x.<\/li><li>allowHostHeaderMismatch hard-coded to false: issues in reverse proxy situations where header is different from the URL.<\/li><li>Align AJP connector handling of invalid HTTP headers with HTTP connector.<\/li><li>Added RateLimitFilter: Prevents Denial of Service (DoS) and brute force attacks by limiting the number of requests that are allowed from a single IP address within a time window.<\/li><li>Log TLS certificate information on startup.\u00a0<\/li><li>Dedicated loggers for detailed TLS configuration information.<\/li><li>Added TLSCertificateReloadListener: Monitors certificate expirations and trigger automatic reloading of the TLS configuration a set number of days before the TLS certificate expires.\u00a0\u00a0Tomcat restart required or JMX command to reload it.\u00a0\u00a0It periodically checks on a frequency you define.\u00a0\u00a0Shows how close that certificate is from expiring.\u00a0\u00a0If you do not update it, then it will start logging warnings.<\/li><\/ul><\/div><div><div><h3>5. Enable TLS<\/h3><p>A critical step in hardening your configuration is setting up end-to-end encryption between the browser and the application server.\u00a0The first step is creating a keystore using the JDK\u2019s\u00a0keytool:<\/p><p>keytool -genkey -alias openlogic -keyalg RSA -keysize 2048 -keystore keystore.jks<a id=\"OLE_LINK4\"><\/a><\/p><p>keytool\u00a0will ask a series of questions.\u00a0The most important question is \u201cWhat is your first and last name?\u201d\u00a0This should be set to the domain name the server will sit behind and not your first and last name.\u00a0The question should be reworded to: \u201cWhat is your CN (Common Name)?\u201d\u00a0This means the domain which your server will be known by.\u00a0The output of the\u00a0keytool\u00a0should look like the following:<\/p><p>Enter keystore password: changeit<\/p><p>Re-enter new password: changeit<\/p><p>Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.<\/p><p>What is your first and last name?<\/p><p>\u00a0 [Unknown]:\u00a0openlogic.com<\/p><p>What is the name of your organizational unit?<\/p><p>\u00a0 [Unknown]:\u00a0OpenLogic<\/p><p>What is the name of your organization?<\/p><p>\u00a0 [Unknown]:\u00a0Perforce<\/p><p>What is the name of your City or Locality?<\/p><p>\u00a0 [Unknown]:\u00a0Minneapolis<\/p><p>What is the name of your State or Province?<\/p><p>\u00a0 [Unknown]:\u00a0MN<\/p><p>What is the two-letter country code for this unit?<\/p><p>\u00a0 [Unknown]:\u00a0US<\/p><p>Is CN=openlogic.com, OU=OpenLogic, O=Perforce, L=Minneapolis, ST=MN, C=US correct?<\/p><p>\u00a0 [no]:\u00a0yes<\/p><p>Generating 2,048 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 90 days<\/p><p>\u00a0\u00a0\u00a0\u00a0 for: CN=openlogic.com, OU=OpenLogic, O=Perforce, L=Minneapolis, ST=MN, C=US<\/p><p>This command will create a\u00a0keystore.jks\u00a0in the directory\u00a0keytool\u00a0was run from.\u00a0<\/p><p>A certificate signing request (CSR) will need to be generated from the\u00a0keystore.jks\u00a0and sent to a trusted certificate authority if you want the certificate to be trusted by the browser.\u00a0This step is optional if you are testing.\u00a0\u00a0The traffic will still be encrypted, but you will receive a \u201cnot trusted\u201d message from the browser.\u00a0<br \/><br \/>To generate a CSR run:\u00a0<\/p><p>keytool -genkey -alias openlogic -keyalg RSA -file openlogic.csr -keystore keystore.jks<a id=\"OLE_LINK6\"><\/a><\/p><p>Then send\u00a0openlogic.csr\u00a0to a trusted certificate authority for signing.\u00a0We will not cover the steps here, but the certificate authority will send you back a certificate to import into your\u00a0keystore.jks.\u00a0<\/p><p>There are certificate authorities which will send you a free 90-day signed certificate for free as long as you are the domain owner.\u00a0They will require you to import their root, intermediate, and your signed domain certificate into\u00a0keystore.jks.\u00a0<\/p><p>First import the root certificate:<\/p><p>keytool -importcert -alias root -file root.cer -keystore keystore.jks<\/p><p>Then import the intermediate certificate:<\/p><p>keytool -importcert -alias intermediate -file intermediate.cer -keystore keystore.jks<\/p><p>Last, import your signed domain certificate:<\/p><p>keytool -importcert -alias openlogic -file openlogic.cer -keystore keystore.jks\u00a0<\/p><p>You cannot only import your signed certificate because the browser also needs the root and any intermediate certificates to trust the domain certificate.<\/p><p>The next step is configuring your server.xml to listen on a trusted secure port by presenting a valid certificate and end-to-end encryption.\u00a0The syntax assumes Tomcat 9.0+; versions of Tomcat prior to 9.0 require a different syntax which we will not cover here.<\/p><p>Create the following snippet of XML in Tomcat\u2019s\u00a0conf\/server.xml:<\/p><p>\u2026<\/p><p>&lt;Server port=&#8221;8005&#8243; shutdown=&#8221;SHUTDOWN&#8221;&gt;<\/p><p>\u2026<\/p><p>\u00a0 &lt;Service name=&#8221;Catalina&#8221;&gt;<\/p><p>\u2026\u00a0<\/p><p>\u00a0 \u00a0 &lt;Connector port=&#8221;8443&#8243;<br \/>protocol=&#8221;org.apache.coyote.http11.Http11NioProtocol&#8221;<a id=\"OLE_LINK9\"><\/a><\/p><p>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0maxThreads=&#8221;150&#8243; SSLEnabled=&#8221;true&#8221;&gt;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0 &lt;UpgradeProtocol className=&#8221;org.apache.coyote.http2.Http2Protocol&#8221; \/&gt;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0 &lt;SSLHostConfig&gt;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 &lt;Certificate certificateKeystoreFile=&#8221;conf\/keystore.jks&#8221;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0certificateKeystorePassword=&#8221;changeit&#8221;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 type=&#8221;RSA&#8221;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/&gt;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0 &lt;\/SSLHostConfig&gt;<\/p><p>\u00a0 \u00a0 &lt;\/Connector&gt;<\/p><p>\u2026<\/p><p>\u00a0 &lt;\/Service&gt;<\/p><p>&lt;\/Server&gt;<\/p><p>This assumes the\u00a0keystore.jks\u00a0is in Tomcat\u2019s\u00a0conf\u00a0directory.\u00a0<\/p><p>The configuration changes up to this point do not force plain-text port 8080 to redirect to 8443.\u00a0To enable this functionality, modify Tomcat\u2019s\u00a0conf\/web.xml\u00a0by adding the following XML snippet:<\/p><p>&lt;web-app\u2026&gt;<\/p><p>\u2026<\/p><p>\u00a0 \u00a0 &lt;security-constraint&gt;<a id=\"OLE_LINK11\"><\/a><\/p><p>\u00a0 \u00a0 \u00a0 &lt;web-resource-collection&gt;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0 &lt;web-resource-name&gt;everything&lt;\/web-resource-name&gt;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0&lt;url-pattern&gt;\/*&lt;\/url-pattern&gt;<\/p><p>\u00a0 \u00a0 \u00a0 &lt;\/web-resource-collection&gt;<\/p><p>\u00a0 \u00a0 \u00a0 &lt;user-data-constraint&gt;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0&lt;transport-guarantee&gt;CONFIDENTIAL&lt;\/transport-guarantee&gt;<\/p><p>\u00a0 \u00a0 \u00a0 &lt;\/user-data-constraint&gt;<\/p><p>\u00a0 \u00a0 &lt;\/security-constraint&gt;<\/p><p>&lt;\/web-app&gt;<\/p><p>By modifying Tomcat\u2019s conf\/web.xml with this change, this tells the application server that you want all unencrypted traffic to be handled by an encrypted port.\u00a0\u00a0Restart Tomcat for the configuration changes to take effect.\u00a0Then go to\u00a0<a href=\"http:\/\/localhost:8080\/\" target=\"_blank\" rel=\"noopener\">http:\/\/localhost:8080<\/a>.<\/p><p>If you did not send the CSR from the earlier step to a trusted certificate authority, then you may receive some warnings from the browser.\u00a0Tomcat will then redirect the browser to\u00a0<a href=\"https:\/\/localhost:8443\/\" target=\"_blank\" rel=\"noopener\">https:\/\/localhost:8443<\/a>.<\/p><p>The server I tested with is Apache Tomcat 11 with OpenJDK 21.0.4.\u00a0After running a protocol test, the server was found to support TLS 1.2 and 1.3 with no support of outdated protocols SSLv3, TLS v1.0 and 1.1 (which is desired due to vulnerabilities).<\/p><\/div><div><h3>6. Log Your Network Traffic<\/h3><p>To enable logging of network traffic in Tomcat, use the AccessLogValve component. This can be configured on a host, engine, or context basis and will create a standard web server log file for traffic to any resources associated with it.\u00a0<\/p><p>The Access Log Valve supports a variety of attributes to control the output of the valve. This valve is enabled by default in server.xml:<\/p><p>\u00a0<\/p><p>\u2026<\/p><p>\u00a0 \u00a0 \u00a0 &lt;Host name=&#8221;localhost&#8221;\u2026<\/p><p>&lt;Valve className=&#8221;org.apache.catalina.valves.AccessLogValve&#8221; \u00a0 \u00a0 \u00a0 \u00a0directory=&#8221;logs&#8221;prefix=&#8221;localhost_access_log&#8221; suffix=&#8221;.txt&#8221;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0 pattern=&#8221;%h %l %u %t &amp;quot;%r&amp;quot; %s %b&#8221; \/&gt;<\/p><p>\u00a0 \u00a0 \u00a0 &lt;\/Host&gt;<\/p><p>\u2026<\/p><p>This valve creates a daily rotating\u00a0localhost_access_log.yyyy-mm-dd.txt\u00a0file in Tomcat\u2019s\u00a0log\u00a0directory.\u00a0With the pattern configured in the statement above, the valve will print the remote host (%h), username (%l), date and time (%t), first line of the request (%r), HTTP status of the response (%s), and bytes sent (%b) of every request.\u00a0<\/p><p>The following output results when the root page is accessed:<\/p><p>35.139.184.195 &#8211; &#8211; [30\/Jul\/2024:21:05:18 +0000] &#8220;GET \/ HTTP\/2.0&#8221; 200 11223<\/p><p>The pattern can be customized in numerous permutations; see\u00a0<a href=\"https:\/\/tomcat.apache.org\/tomcat-11.0-doc\/config\/valve.html#Access_Log_Valve\" target=\"_blank\" rel=\"noopener\">Tomcat 11 documentation<\/a>\u00a0for details.<\/p><p>Be careful in using this valve as it can put write pressure on the disk if the application server is busy.<\/p><\/div><div><h3>7. Limit Access to the Tomcat Manager App<\/h3><p>The Tomcat Manager application is a built-in webapp used to manage Tomcat instances, application deployment and other various settings. By default, the Manager application can only be accessed from the machine it is running on or an address in the 127.0.0.0 subnet range using IPv4 or the IPv6 loopback (::1\u00a0or\u00a00:0:0:0:0:0:0:1), and this is configured in the META-INF\/context.xml using the Remote Address Valve:<\/p><p>\u00a0 &lt;Valve \u00a0className=&#8221;org.apache.catalina.valves.RemoteAddrValve&#8221;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0 allow=&#8221;127\\.\\d+\\.\\d+\\.\\d+|::1|0:0:0:0:0:0:0:1&#8243; \/&gt;<\/p><p>\u00a0<\/p><p>If there are specific IP addresses you want to allow, then use the following syntax:\u00a0<\/p><p><a id=\"OLE_LINK23\"><\/a>\u00a0\u00a0&lt;Valve className=&#8221;org.apache.catalina.valves.RemoteAddrValve&#8221;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0allow=&#8221;192.168.1.2|192.168.1.3&#8243; deny=\u201d\u201d \/&gt;<\/p><p>This configuration allows access into the application if your IP address is either 192.168.1.2 or 192.168.1.3.<\/p><p>The Remote Address Valve also has a deny attribute which is used if there are any specific addresses separated by commas that you want to blacklist.\u00a0<\/p><p>This valve can be used in any application that is deployed on Tomcat.\u00a0<\/p><p>If a range of addresses is preferred to limit access, then use the Remote CIDR Valve in META-INF\/context.xml:<\/p><p>\u00a0 &lt;Valve className=&#8221;org.apache.catalina.valves.RemoteCIDRValve&#8221;<\/p><p>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0allow=&#8221;127.0.0.1, 192.168.1.0\/24&#8243; deny=\u201d\u201d \/&gt;<\/p><p>This allows access from the loopback address as well as any addresses in the 192.168.1.0 subnet range.<\/p><\/div><div><h3>8. Use Realms to Control Resource Access<\/h3><p>Realms are another method of controlling authentication and authorization to resources in Tomcat. A realm is a collection of users and roles that are assigned access to a given application or group of applications and the privileges they have within the application once logged in.\u00a0<\/p><p>There are four built-in manager roles:<\/p><ul><li>manager-gui: HTML GUI and the status pages<\/li><li>manager-script: HTTP API and the status pages<\/li><li>manager-jmx: JMX proxy and the status pages<\/li><li>manager-status: Status pages only<\/li><\/ul><p>Realms are pluggable.\u00a0Realms can be configured to connect to a relational database, LDAP, JAAS, a global JNDI resource (such as an XML file), or a combination of realms.\u00a0<\/p><p>The LockOut Realm is the default in Tomcat which uses the conf\/tomcat-users.xml file to control authentication and authorization.The role and users are by default commented out, but a simple example with one user with the manager-gui role would look like the following:<\/p><p>&lt;tomcat-users&gt;<\/p><p>\u00a0 &lt;role rolename=&#8221;manager-gui&#8221;\/&gt;<\/p><p>\u00a0 &lt;user username=&#8221;tomcat&#8221; password=&#8221;changeme&#8221; roles=&#8221;manager-gui&#8221;\/&gt;<\/p><p>&lt;\/tomcat-users&gt;<\/p><p>The LockOut realm by default will cause a user to be locked out for five minutes if the password is guessed incorrectly five times which will be displayed in the catalina.out log file:<\/p><p>05-Aug-2024 21:29:39.980 WARNING [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.LockOutRealm.filterLockedAccounts An\u00a0attempt\u00a0was made\u00a0to authenticate\u00a0the locked user [tomcat]\u00a0<del cite=\"mailto:William%20Crowell\" datetime=\"2024-09-03T13:30\"><s><\/s><\/del><\/p><p>In addition, the plain-text passwords in tomcat-users.xml can be encrypted.\u00a0\u00a0In server.xml, find the UserDatabaseRealm and change it to:<\/p><p>&lt;Realm className=&#8221;org.apache.catalina.realm.LockOutRealm&#8221;&gt;<\/p><p>\u00a0 &lt;Realm className=&#8221;org.apache.catalina.realm.UserDatabaseRealm&#8221;<\/p><p>\u00a0 \u00a0 resourceName=&#8221;UserDatabase&#8221;&gt;<\/p><p>&lt;CredentialHandler className=<br \/>&#8220;org.apache.cataline.realm.MessageDigestCredentialHandler&#8221; algorithm=&#8221;SHA-256&#8243;\/&gt;<\/p><p>\u00a0 \u00a0&lt;\/Realm&gt;<\/p><p>Any changes to server.xml require a server restart.\u00a0Modifications to tomcat-users.xml do not necessitate a server restart as this file is monitored for changes.<\/p><p>Generate a hash from a plain-text password:<\/p><p>${TOMCAT_HOME}\/bin\/digest.sh -a SHA-256 -h\u00a0org.apache.catalina.realm.MessageDigestCredentialHandler changeme<\/p><p>The \u201c-a\u201d is for the algorithm to be used when encrypting the password.\u00a0\u00a0Any algorithm available to the JDK can be used such as SHA-512.<\/p><p>The hash of the password will be displayed after the colon:<\/p><p>changeme:5d56e72f51f7ec5a0bd724e026fa2856ce7f8821358c0f854b3 e18bf20780960$1$5979cdb240050fbb72ad6ed1f69ac8d161634ea91e3f f52e83176fb44fc1562f<\/p><p>Place the hash in the tomcat-users.xml for the particular user:<\/p><p>&lt;tomcat-users&gt;<\/p><p>\u00a0 &lt;role rolename=&#8221;manager-gui&#8221;\/&gt;<\/p><p>\u00a0 &lt;user username=&#8221;tomcat&#8221; \u00a0 \u00a0 password=&#8221;5d56e72f51f7ec5a0bd724e026fa2856ce7f8821358c0f854b 3e18bf20780960$1$5979cdb240050fbb72ad6ed1f69ac8d161634ea91e3 ff52e83176fb44fc1562f&#8221; roles=&#8221;manager-gui&#8221;\/&gt;<\/p><p>&lt;\/tomcat-users&gt;<\/p><p>Keep in mind that all passwords must be hashed in tomcat-users.xml if the\u00a0MessageDigestCredentialHandler\u00a0is used.<\/p><p>Tomcat should detect the file changed without a restart:<\/p><p>05-Aug-2024 21:26:22.987 INFO [Catalina-utility-2] org.apache.catalina.users.MemoryUserDatabase.backgroundProcess Reloading memory user database [UserDatabase] from updated source [file:\/home\/rocky\/apache-tomcat-11.0.0\/conf\/tomcat-users.xml]<\/p><p>Lastly, file access to Tomcat\u2019s conf should be limited to the account running Tomcat.<\/p><\/div><h3><a class=\"back-to-top\" href=\"https:\/\/www.openlogic.com\/blog\/apache-tomcat-security-best-practices#top\">Back to top<\/a><\/h3><h2 id=\"final-thoughts\">Final Thoughts<\/h2><p>While these are some of the many ways you can secure Tomcat, there are still plenty of other things out there that can be done which go beyond the scope of just a blog article. We encourage all our Tomcat users to take a deep dive approach to Tomcat security, utilizing all the resources out there.<\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1a1b0f4 elementor-widget elementor-widget-shortcode\" data-id=\"1a1b0f4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\t\t<div data-elementor-type=\"page\" data-elementor-id=\"18103\" class=\"elementor elementor-18103\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-748947f elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"748947f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7995c19\" data-id=\"7995c19\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a437045 elementor-widget elementor-widget-image-box\" data-id=\"a437045\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><div class=\"elementor-image-box-content\"><h3 class=\"elementor-image-box-title\">About Version 2 Digital<\/h3><p class=\"elementor-image-box-description\">Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.\n<br><br>\nThrough an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\n\t\t<div data-elementor-type=\"page\" data-elementor-id=\"91828\" class=\"elementor elementor-91828\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6461a578 elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"6461a578\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2f063c39\" data-id=\"2f063c39\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-14e1df2a elementor-widget elementor-widget-text-editor\" data-id=\"14e1df2a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>About Perforce <\/strong><br>The best run DevOps teams in the world choose Perforce. Perforce products are purpose-built to develop, build and maintain high-stakes applications. Companies can finally manage complexity, achieve speed without compromise, improve security and compliance, and run their DevOps toolchains with full integrity. With a global footprint spanning more than 80 countries and including over 75% of the Fortune 100, Perforce is trusted by the world\u2019s leading brands to deliver solutions to even the toughest challenges. Accelerate technology delivery, with no shortcuts.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>In this blog, we look at eight ways to improve your Apa [&hellip;]<\/p>","protected":false},"author":149011790,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1273,1298,61],"tags":[1272,1302],"class_list":["post-93275","post","type-post","status-publish","format-standard","hentry","category-1273","category-openlogic","category-press-release","tag-1272","tag-openlogic"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Apache Tomcat Security Best Practices - Version 2<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/guardz.com\/blog\/12-must-read-books-every-msp-should-own\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Apache Tomcat Security Best Practices - Version 2\" \/>\n<meta property=\"og:description\" content=\"In this blog, we look at eight ways to improve your Apa [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/guardz.com\/blog\/12-must-read-books-every-msp-should-own\/\" \/>\n<meta property=\"og:site_name\" content=\"Version 2\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-06T03:58:51+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-03-24T04:53:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/version-2.com\/wp-content\/uploads\/2020\/04\/blog-v2-logo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"250\" \/>\n\t<meta property=\"og:image:height\" content=\"70\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"tracylamv2\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"tracylamv2\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/guardz.com\\\/blog\\\/12-must-read-books-every-msp-should-own\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2024\\\/10\\\/apache-tomcat-security-best-practices\\\/\"},\"author\":{\"name\":\"tracylamv2\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/011bc7c3731c930bcfeecd52fefb6365\"},\"headline\":\"Apache Tomcat Security Best Practices\",\"datePublished\":\"2024-10-06T03:58:51+00:00\",\"dateModified\":\"2025-03-24T04:53:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2024\\\/10\\\/apache-tomcat-security-best-practices\\\/\"},\"wordCount\":2722,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"keywords\":[\"2024\",\"OpenLogic\"],\"articleSection\":[\"2024\",\"Openlogic\",\"Press Release\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/guardz.com\\\/blog\\\/12-must-read-books-every-msp-should-own\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2024\\\/10\\\/apache-tomcat-security-best-practices\\\/\",\"url\":\"https:\\\/\\\/guardz.com\\\/blog\\\/12-must-read-books-every-msp-should-own\\\/\",\"name\":\"Apache Tomcat Security Best Practices - Version 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\"},\"datePublished\":\"2024-10-06T03:58:51+00:00\",\"dateModified\":\"2025-03-24T04:53:19+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/guardz.com\\\/blog\\\/12-must-read-books-every-msp-should-own\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/guardz.com\\\/blog\\\/12-must-read-books-every-msp-should-own\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/guardz.com\\\/blog\\\/12-must-read-books-every-msp-should-own\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Apache Tomcat Security Best Practices\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"name\":\"Version 2\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/version-2.com\\\/zh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\",\"name\":\"Version 2\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"width\":1795,\"height\":335,\"caption\":\"Version 2\"},\"image\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/011bc7c3731c930bcfeecd52fefb6365\",\"name\":\"tracylamv2\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"caption\":\"tracylamv2\"},\"url\":\"https:\\\/\\\/version-2.com\\\/en\\\/author\\\/tracylamv2\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Apache Tomcat Security Best Practices - Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/guardz.com\/blog\/12-must-read-books-every-msp-should-own\/","og_locale":"en_US","og_type":"article","og_title":"Apache Tomcat Security Best Practices - Version 2","og_description":"In this blog, we look at eight ways to improve your Apa [&hellip;]","og_url":"https:\/\/guardz.com\/blog\/12-must-read-books-every-msp-should-own\/","og_site_name":"Version 2","article_published_time":"2024-10-06T03:58:51+00:00","article_modified_time":"2025-03-24T04:53:19+00:00","og_image":[{"width":250,"height":70,"url":"https:\/\/version-2.com\/wp-content\/uploads\/2020\/04\/blog-v2-logo.jpg","type":"image\/jpeg"}],"author":"tracylamv2","twitter_card":"summary_large_image","twitter_misc":{"Written by":"tracylamv2","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/guardz.com\/blog\/12-must-read-books-every-msp-should-own\/#article","isPartOf":{"@id":"https:\/\/version-2.com\/2024\/10\/apache-tomcat-security-best-practices\/"},"author":{"name":"tracylamv2","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/011bc7c3731c930bcfeecd52fefb6365"},"headline":"Apache Tomcat Security Best Practices","datePublished":"2024-10-06T03:58:51+00:00","dateModified":"2025-03-24T04:53:19+00:00","mainEntityOfPage":{"@id":"https:\/\/version-2.com\/2024\/10\/apache-tomcat-security-best-practices\/"},"wordCount":2722,"commentCount":0,"publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"keywords":["2024","OpenLogic"],"articleSection":["2024","Openlogic","Press Release"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/guardz.com\/blog\/12-must-read-books-every-msp-should-own\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/version-2.com\/2024\/10\/apache-tomcat-security-best-practices\/","url":"https:\/\/guardz.com\/blog\/12-must-read-books-every-msp-should-own\/","name":"Apache Tomcat Security Best Practices - Version 2","isPartOf":{"@id":"https:\/\/version-2.com\/zh\/#website"},"datePublished":"2024-10-06T03:58:51+00:00","dateModified":"2025-03-24T04:53:19+00:00","breadcrumb":{"@id":"https:\/\/guardz.com\/blog\/12-must-read-books-every-msp-should-own\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/guardz.com\/blog\/12-must-read-books-every-msp-should-own\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/guardz.com\/blog\/12-must-read-books-every-msp-should-own\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/version-2.com\/zh\/"},{"@type":"ListItem","position":2,"name":"Apache Tomcat Security Best Practices"}]},{"@type":"WebSite","@id":"https:\/\/version-2.com\/zh\/#website","url":"https:\/\/version-2.com\/zh\/","name":"Version 2","description":"","publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/version-2.com\/zh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/version-2.com\/zh\/#organization","name":"Version 2","url":"https:\/\/version-2.com\/zh\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","contentUrl":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","width":1795,"height":335,"caption":"Version 2"},"image":{"@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/011bc7c3731c930bcfeecd52fefb6365","name":"tracylamv2","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","caption":"tracylamv2"},"url":"https:\/\/version-2.com\/en\/author\/tracylamv2\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbQRKm-ogr","post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/93275","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/users\/149011790"}],"replies":[{"embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/comments?post=93275"}],"version-history":[{"count":4,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/93275\/revisions"}],"predecessor-version":[{"id":108737,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/93275\/revisions\/108737"}],"wp:attachment":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/media?parent=93275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/categories?post=93275"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/tags?post=93275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}