tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rowan Burgess <rowan.j.burg...@gmail.com>
Subject Re: Secure Configuration Guide
Date Thu, 27 Jul 2017 09:02:59 GMT
Hi Jon,

Thanks for the feedback. We are using TomEE plus 7.0.3 and have followed
the "Tomcat Security How To" guide as an opening step. The server will be
deployed behind a load balancer and firewall.

I have found the documentation related to remote EJB calls (
http://tomee.apache.org/ejbd-transport.html ) and confirmed this is not
present.

Are there any other considerations we should be aware of?

Apologies for such a broad question - I have not worked with an EJB
container previously ( usually just simple Spring applications! ). TomEE is
being used to migrate an inherited legacy application away from WebLogic
and we are trying to verify that we have taken appropriate steps to secure
the server.

Thanks again for your help!

Rowan

On Wed, Jul 26, 2017 at 7:05 PM, Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:

> Hi Rowan
>
> Thanks for your email! This would make a great page on the site, so please
> do follow up with your experiences as you get to grips with TomEE. It would
> be useful to know which version of TomEE you are running, as there are a
> couple of things that are slightly different between TomEE 7.x and TomEE
> 1.7.x, specifically in terms of the tomee/ejb servlet being available for
> remote EJB calls (it is off in TomEE 7.x by default).
>
> As a start, I'd suggest you remove any applications you do not want from
> the webapps directory, and ensure that server.xml has only the ports that
> you wish to use. The config in server.xml is the same config you're used to
> with Tomcat, please do let us know if you encounter anything that doesn't
> work in that regard (the information on the page you reference should be
> good). Lock down any users and permissions in tomcat-users.xml, and check
> your realm config in server.xml - out of the box we ship with the
> UserDatabaseRealm (tomcat-user.xml) wrapped with the LockOutRealm.
>
> If you're putting HTTPD or NGinx in front of TomEE or you have complex LAN
> setup there may be other things you want to do to allow access to
> administrative applications from a management VLAN but not the outside
> world, for example - the above doesn't cover anything like that, but is
> hopefully useful as a start.
>
> Please do let us know if you have any questions or feedback!
>
> Jon
>
> On Wed, Jul 26, 2017 at 6:23 AM, Romain Manni-Bucau <rmannibucau@gmail.com
> >
> wrote:
>
> > Hi Rowan,
> >
> > listing what didnt work can help to be more accurate but dont think we
> > duplicated this page on tomee site directly.
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2017-07-26 1:29 GMT+02:00 Rowan Burgess <rowan.j.burgess@gmail.com>:
> >
> > > Hello,
> > >
> > > Is there a guide/reference available that outlines "best practices" on
> > how
> > > to configure TomEE securely?
> > >
> > > I have used Tomcat in the past, and am familiar with steps such as
> those
> > > described in https://tomcat.apache.org/tomcat-8.0-doc/security-howto.
> > html
> > > ,
> > > but I have not worked with TomEE before.
> > >
> > > I need to ensure that no ports/services have been exposed
> unnecessarily.
> > >
> > > I also need to ensure that there are no servlets / JSP's mapped and
> > > accessible by default.
> > >
> > > Appreciate any help/guidance you might have,
> > >
> > > Thanks!
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message