Tomcat Webapp Security

Jason Brittain (eBay Inc.)
Average rating: ***..
(3.33, 12 ratings)

Apache Tomcat is a very popular web server and servlet container, with over 70% penetration in enterprise data centers today. Tomcat is featureful, agile, and well supported, and thus many webapps are developed for it today. While Tomcat has a great track record of having secure defaults, and having few security vulnerabilities, your webapp is a different codebase. How secure is your webapp written to be? How can the security of your webapp be improved? And, how secure is the combination of your webapp with your customized configuration Tomcat settings? This presentation will discuss these issues, and offer solutions that you can use in your own web applications and Tomcat installations.

HTTP Request Model Vulnerabilities - Request Parameters * XSS * HTML Injection * SQL Injection - Request Headers - Request URI - Container-Level vs. Webapp-Level Filtering - How to Write Secure Webapps Scanning Tools and Remediation - Tools - Scan, Investigate Reported Vulnerabilities, Remediate, Re-scan HTTP Caching and Security - Browser Cache - Proxy Cache - Tomcat Cache Use HTTPS - Disable Insecure Key Lengths - Use v6.0.24 and Higher - sessionCacheSize and sessionTimeout - Configure Your Webapp to Require HTTPS Connector Hardening - Max Post Size - Max Http Header Size - Max Threads Java Security Manager - History - Current state - Defaults - Recommendation Webapp File Permissions Monitor for Announced Vulnerabilities and Upgrade Q&A

Photo of Jason Brittain

Jason Brittain

eBay Inc.

Jason is a co-author of Tomcat: The Definitive Guide, now in its second edition, and has written some web articles for O’Reilly’s web site.

Jason is an Architect at MuleSoft Inc. on the Tcat Server product, an enterprise Tomcat product that offers a centralized Tomcat administration, diagnostics, and monitoring console for existing Tomcat installations.

Before joining the team at MuleSoft, Jason was Senior Architect at Spigit, Inc. where he led a team of software engineers writing an idea management and prediction markets social networking web application for the enterprise. Before joining Spigit, Jason was a Senior Principal Software Engineer for Orbital Sciences Corporation, working at NASA’s Ames Research Center on the Kepler Space Telescope mission (, where his software has helped discover five confirmed extrasolar planets, so far.

Jason’s specialties include the Apache Tomcat servlet container, Java software development, building social networking web applications, Tomcat web application development and deployment, scalability and fault tolerance, and Linux system administration. He has contributed to several Apache Java projects, and has been an active open source software developer for many years.

  • Intel
  • Microsoft
  • Google
  • Facebook
  • Rackspace Hosting
  • (mt) Media Temple, Inc.
  • ActiveState
  • CommonPlaces
  • DB Relay
  • FireHost
  • GoDaddy
  • HP
  • HTSQL by Prometheus Research
  • Impetus Technologies Inc.
  • Infobright, Inc
  • JasperSoft
  • Kaltura
  • Marvell
  • Mashery
  • NorthScale, Inc.
  • Open Invention Network
  • OpSource
  • Oracle
  • Parallels
  • PayPal
  • Percona
  • Qualcomm Innovation Center, Inc.
  • Rhomobile
  • Schooner Information Technology
  • Silicon Mechanics
  • SourceGear
  • Symbian
  • VoltDB
  • WSO2
  • Linux Pro Magazine

Sponsorship Opportunities

For information on exhibition and sponsorship opportunities at the conference, contact Sharon Cordesse at

Download the OSCON Sponsor/Exhibitor Prospectus

Media Partner Opportunities

Download the Media & Promotional Partner Brochure (PDF) for information on trade opportunities with O'Reilly conferences or contact mediapartners@

Press and Media

For media-related inquiries, contact Maureen Jennings at

OSCON Newsletter

To stay abreast of conference news and to receive email notification when registration opens, please sign up for the OSCON Newsletter (login required)

OSCON 2.0 Ideas

Have an idea for OSCON to share?

Contact Us

View a complete list of OSCON contacts