tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Gallimore <>
Subject Re: Secure Configuration Guide
Date Wed, 26 Jul 2017 09:05:43 GMT
Hi Rowan

Thanks for your email! This would make a great page on the site, so please
do follow up with your experiences as you get to grips with TomEE. It would
be useful to know which version of TomEE you are running, as there are a
couple of things that are slightly different between TomEE 7.x and TomEE
1.7.x, specifically in terms of the tomee/ejb servlet being available for
remote EJB calls (it is off in TomEE 7.x by default).

As a start, I'd suggest you remove any applications you do not want from
the webapps directory, and ensure that server.xml has only the ports that
you wish to use. The config in server.xml is the same config you're used to
with Tomcat, please do let us know if you encounter anything that doesn't
work in that regard (the information on the page you reference should be
good). Lock down any users and permissions in tomcat-users.xml, and check
your realm config in server.xml - out of the box we ship with the
UserDatabaseRealm (tomcat-user.xml) wrapped with the LockOutRealm.

If you're putting HTTPD or NGinx in front of TomEE or you have complex LAN
setup there may be other things you want to do to allow access to
administrative applications from a management VLAN but not the outside
world, for example - the above doesn't cover anything like that, but is
hopefully useful as a start.

Please do let us know if you have any questions or feedback!


On Wed, Jul 26, 2017 at 6:23 AM, Romain Manni-Bucau <>

> Hi Rowan,
> listing what didnt work can help to be more accurate but dont think we
> duplicated this page on tomee site directly.
> Romain Manni-Bucau
> @rmannibucau <> |  Blog
> <> | Old Blog
> <> | Github <
> rmannibucau> |
> LinkedIn <> | JavaEE Factory
> <>
> 2017-07-26 1:29 GMT+02:00 Rowan Burgess <>:
> > Hello,
> >
> > Is there a guide/reference available that outlines "best practices" on
> how
> > to configure TomEE securely?
> >
> > I have used Tomcat in the past, and am familiar with steps such as those
> > described in
> html
> > ,
> > but I have not worked with TomEE before.
> >
> > I need to ensure that no ports/services have been exposed unnecessarily.
> >
> > I also need to ensure that there are no servlets / JSP's mapped and
> > accessible by default.
> >
> > Appreciate any help/guidance you might have,
> >
> > Thanks!
> >

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message