My project is using an Embedded Tomcat with the Java Springboot application, and the customer requires the Tomcat to comply with a hardening guideline for security purpose, which contains follows, for example:
- Remove the Default Web Applications in the Tomcat
- Balancer(in CATALINA_HOME/webapps) - Remove
- jsp-examples(in CATALINA_HOME/webapps) - Remove
- ROOT(in CATALINA_HOME/webapps) - Remove
- sevlets-examples(in CATALINA_HOME/webapps) - Remove
- tomcat-docs(in CATALINA_HOME/webapps) - Remove
- Webdav(in CATALINA_HOME/webapps) - Remove
- Host-manager(in CATALINA_HOME/servers/webapps) - Remove if not in use
- Manager and host-manager XML files(in CATALINA_HOME/conf/Catalina/localhost) - Remove if not in use
- Remove unused Connectors
- HTTP/1.1 port 8080
- SSL HTTP/1.1 port 8443
- JK/JK2 AJP 1.3 port 8009
- Proxied HTTP/1.1 port 8082
Where can I find the configurations in the Embedded Tomcat server to achieve the compliance? Any ideas where I can start from?
Please let me know if you need any additional information. Thanks in advance! Just to add on, below is how we included the embedded tomcat in the java application pom file:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
https://spring.io/blog/2014/03/07/deploying-spring-boot-applications