Introduction
Using a RPM installation from a trusted RPM repository is a huge advantage, since then is life cycle with patching made easy. Otherwise you will have to manage all patching yourself, which in the long run, will always be more costly than using RPM installation from a trusted RPM repository. And you will also be more exposed by security weakness, because you have not a current patched software version.
RHEL 7 and CentoOS 7
Both RHEL 7 and CentOS 7 comes with a ready to use Tomcat 7. The only drawback is that the version is rather old.
But do you really need a newer version? The difference between Servlet 3.0 (part of Java EE 6) and Servlet 4.0 (part of Java EE 8) is quite small.
And if you are using websockets it is the same version of the spec between Tomcat 7 and 9. Other bigger differences is the support for HTTP/2, but do really need this? Maybe you do or you do not. And if you do not use these new feature you are probably fine with an older version of Tomcat.
From a security perspective, the difference between Tomcat 7 and 9 (as long they are patched), are minimal. Alla the security configuration in web.xml are in place in Tomcat 7. See (Mis)Configure web.xml in Java EE 6 . The only new feature in Servlet 4 and web.xml is
- default-context-path
- request-character-encoding
- response-character-encoding
- deny-uncovered-http-methods
- absolute-ordering (only relevant if you are using web-fragment.xml)
And the difference between security specific feature between Tomcat 7 and 9 are
- Tomcat 9 new supports OCSP, but only for Tomcat Native Connector. See https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates
- Both Tomcat 7 and 9 both rely on MBean technology for monitoring, which is a problem, since remote JMX connection does not support strong authentication, only username and password and default requires random ports. The random ports can be fixed with catalina-jmx-remote.jar, see Enable JMX Remote in Tomcat 7
- Pure Tomcat High Availability (HA) is the same, i.e. 1. replication is the same, but do you really need this, maybe you do or you do not. 2. Pure Tomcat load balancing is seldom used in production. If you are looking for a software solution I recommend using mod_cluster, which works very well. If that is not an option use mod_proxy. Otherwise most people use a hardware load balancer like BigIP F5.
- Tomcat 9 still have crazy logging handling. 1. logging to multiple files which make error search hard and general overview of the tomcat health hard. 2. The only project using custom logging handler JULI. Do Java really need another logging framework? Consider using a single log file and Log4J, see Use Log4J in Tomcat 7
Otherwise the good security filter are still the same, such as CORS Filter, CSRF Filter, Expires Filter, Failed Request Filter and HTTP Header Security Filter, see Tomcat 7 Container Provided Filters.
The nest lockout realm, see Tomcat 7 Lockout Realm.
# yum install tomcat
# systemctl restart tomcat; systemctl enable tomcat
# rpm -ql tomcat
/etc/logrotate.d/tomcat
/etc/sysconfig/tomcat
/etc/tomcat
/etc/tomcat/Catalina
/etc/tomcat/Catalina/localhost
/etc/tomcat/catalina.policy
/etc/tomcat/catalina.properties
/etc/tomcat/conf.d
/etc/tomcat/conf.d/README
/etc/tomcat/context.xml
/etc/tomcat/log4j.properties
/etc/tomcat/logging.properties
/etc/tomcat/server.xml
/etc/tomcat/tomcat-users.xml
/etc/tomcat/tomcat.conf
/etc/tomcat/web.xml
/usr/bin/tomcat-digest
/usr/bin/tomcat-tool-wrapper
/usr/lib/systemd/system/tomcat.service
/usr/lib/systemd/system/tomcat@.service
/usr/libexec/tomcat
/usr/libexec/tomcat/functions
/usr/libexec/tomcat/preamble
/usr/libexec/tomcat/server
/usr/sbin/tomcat
/usr/share/doc/tomcat-7.0.76
/usr/share/doc/tomcat-7.0.76/LICENSE
/usr/share/doc/tomcat-7.0.76/NOTICE
/usr/share/doc/tomcat-7.0.76/RELEASE-NOTES
/usr/share/tomcat
/usr/share/tomcat/bin/bootstrap.jar
/usr/share/tomcat/bin/catalina-tasks.xml
/usr/share/tomcat/conf
/usr/share/tomcat/lib
/usr/share/tomcat/logs
/usr/share/tomcat/temp
/usr/share/tomcat/webapps
/usr/share/tomcat/work
/var/cache/tomcat
/var/cache/tomcat/temp
/var/cache/tomcat/work
/var/lib/tomcat
/var/lib/tomcat/webapps
/var/lib/tomcats
/var/log/tomcat
/var/log/tomcat/catalina.out
Configuration:
/etc/tomcat/tomcat.conf
(/etc/sysconfig/tomcat)
# systemctl cat tomcat.service
# /usr/lib/systemd/system/tomcat.service
# Systemd unit file for default tomcat
#
# To create clones of this service:
# DO NOTHING, use tomcat@.service instead.
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target
[Service]
Type=simple
EnvironmentFile=/etc/tomcat/tomcat.conf
Environment="NAME="
EnvironmentFile=-/etc/sysconfig/tomcat
ExecStart=/usr/libexec/tomcat/server start
SuccessExitStatus=143
User=tomcat
[Install]
WantedBy=multi-user.target
# cat /etc/logrotate.d/tomcat
/var/log/tomcat/catalina.out {
copytruncate
weekly
rotate 52
compress
missingok
create 0644 tomcat tomcat
}
-----------------------------
# mkdir /usr/share/tomcat/webapps/ROOT
# echo "<html><body><h1>TOMCAT ROOT</h1></body></html>" > /usr/share/tomcat/webapps/ROOT/index.html
# chown root:tomcat -Rv /usr/share/tomcat/webapps/
# curl http://127.0.0.1:8080/
<html><body><h1>TOMCAT ROOT</h1></body></html>
-----------------------------
# yum list installed | grep tomcat
tomcat.noarch 7.0.76-10.el7_7 @rhel-7-server-rpms
tomcat-el-2.2-api.noarch 7.0.76-10.el7_7 @rhel-7-server-rpms
tomcat-jsp-2.2-api.noarch 7.0.76-10.el7_7 @rhel-7-server-rpms
tomcat-lib.noarch 7.0.76-10.el7_7 @rhel-7-server-rpms
tomcat-servlet-3.0-api.noarch 7.0.76-10.el7_7 @rhel-7-server-rpms
RHEL 8 and CentOS 8
Now too the sad story. Tomcat is no longer available on either RHEL 8 or CentOS 8.
"The Apache Tomcat server has been removed from Red Hat Enterprise Linux. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Red Hat recommends that users requiring a servlet container use the JBoss Web Server."
No comments:
Post a Comment