From c96cd2b5bdcb5423d562108cbecc4fe60349152e Mon Sep 17 00:00:00 2001
From: Myriam <iammyr@users.noreply.github.com>
Date: Wed, 2 Nov 2016 14:22:11 +0000
Subject: [PATCH 1/4] added section on how to harden tomcat security and
 example on tomcat+maven docker images

---
 tomcat/content.md | 97 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 97 insertions(+)

diff --git a/tomcat/content.md b/tomcat/content.md
index 714b3ee1238a..3a7b2bef3422 100644
--- a/tomcat/content.md
+++ b/tomcat/content.md
@@ -39,3 +39,100 @@ The default Tomcat environment in the image for version 6 is:
 	CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar
 
 The configuration files are available in `/usr/local/tomcat/conf/`. By default, no user is included in the "manager-gui" role required to operate the "/manager/html" web application. If you wish to use this app, you must define such a user in `tomcat-users.xml`.
+
+If you want to add your built (e.g., your war file under the target directory) to Tomcat, add the following to your Dockerfile:
+```
+ADD target/*.war $CATALINA_HOME/webapps/
+```
+
+# Hardening Tomcat Security
+
+Consider adding the following to your Dockerfile. These commands will harden the file permissions in order to prevent any eventually vulnerable application that runs on tomcat from tampering with tomcat itself.
+```
+RUN rm -rf $CATALINA_HOME/webapps/*
+RUN rm -rf $CATALINA_HOME/server/webapps/*
+RUN rm -rf $CATALINA_HOME/conf/Catalina/localhost/host-manager.xml
+RUN rm -rf $CATALINA_HOME/conf/Catalina/localhost/manager.xml
+RUN groupadd tomcat
+RUN useradd -g tomcat tomcat
+RUN chown -R root:tomcat $CATALINA_HOME
+RUN chmod -R 550 $CATALINA_HOME
+RUN chown -R tomcat:tomcat $CATALINA_HOME/conf
+RUN chown -R tomcat:tomcat $CATALINA_HOME/logs
+RUN chown -R tomcat:tomcat $CATALINA_HOME/work
+RUN chmod 570 $CATALINA_HOME/bin/catalina.sh
+RUN chmod -R 500 $CATALINA_HOME/conf
+RUN chmod -R 300 $CATALINA_HOME/logs
+RUN chmod -R 770 $CATALINA_HOME/work
+RUN chmod -R 550 $CATALINA_HOME/webapps/
+```
+As the last command within your Dockerfile add the following, in order to run Tomcat as the tomcat user rather than as root:
+```
+USER tomcat
+```
+Also refer to OWASP: [Securing Tomcat](https://www.owasp.org/index.php/Securing_tomcat).
+# Tomcat and Maven example
+
+Example using Tomcat to run a web application built with maven.
+Dockerfile:
+```
+FROM tomcat:8
+
+RUN rm -rf $CATALINA_HOME/webapps/*
+RUN rm -rf $CATALINA_HOME/server/webapps/*
+RUN rm -rf $CATALINA_HOME/conf/Catalina/localhost/host-manager.xml
+RUN rm -rf $CATALINA_HOME/conf/Catalina/localhost/manager.xml
+RUN groupadd tomcat
+RUN useradd -g tomcat tomcat
+RUN chown -R root:tomcat $CATALINA_HOME
+RUN chmod -R 550 $CATALINA_HOME
+RUN chown -R tomcat:tomcat $CATALINA_HOME/conf
+RUN chown -R tomcat:tomcat $CATALINA_HOME/logs
+RUN chown -R tomcat:tomcat $CATALINA_HOME/work
+RUN chmod 570 $CATALINA_HOME/bin/catalina.sh
+RUN chmod -R 500 $CATALINA_HOME/conf
+RUN chmod -R 300 $CATALINA_HOME/logs
+RUN chmod -R 770 $CATALINA_HOME/work
+RUN chmod -R 550 $CATALINA_HOME/webapps/
+
+USER tomcat
+```
+build.sh:
+```
+#!/bin/bash
+
+check() {
+	if [[ $1 -ne 0 ]] ; then
+  		exit $1
+	fi
+}
+
+docker rm myimage >/dev/null 2>&1
+docker rm tom >/dev/null 2>&1
+docker run --name myimage -it --rm -v "$PWD":/src -w /src maven:3.2-jdk-7 mvn clean package
+check $?
+docker build -t tom/cat:8 .
+check $?
+docker run --rm -p 8080:8080 tom/cat:8
+```
+pom.xml:
+```
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>com.my.package</groupId>
+  <artifactId>myproject</artifactId>
+  <version>1.0</version>
+  <packaging>war</packaging>
+
+<dependencies>
+<dependency>
+    <groupId>javax.servlet</groupId>
+    <artifactId>javax.servlet-api</artifactId>
+    <version>3.0.1</version>
+</dependency>
+</dependencies>
+
+</project>
+```
+Place both Dockerfile and build.sh in the same folder as your "src" folder and pom.xml. Run build.sh and visit http:localhost:8080/myproject-1.0

From b743ba7dc23634a7b99817c1998de3c5d007e6a0 Mon Sep 17 00:00:00 2001
From: Myriam <iammyr@users.noreply.github.com>
Date: Wed, 2 Nov 2016 14:55:54 +0000
Subject: [PATCH 2/4] Update content.md

---
 tomcat/content.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tomcat/content.md b/tomcat/content.md
index 3a7b2bef3422..1359f6e0ec83 100644
--- a/tomcat/content.md
+++ b/tomcat/content.md
@@ -61,7 +61,7 @@ RUN chown -R tomcat:tomcat $CATALINA_HOME/conf
 RUN chown -R tomcat:tomcat $CATALINA_HOME/logs
 RUN chown -R tomcat:tomcat $CATALINA_HOME/work
 RUN chmod 570 $CATALINA_HOME/bin/catalina.sh
-RUN chmod -R 500 $CATALINA_HOME/conf
+RUN chmod -R 400 $CATALINA_HOME/conf
 RUN chmod -R 300 $CATALINA_HOME/logs
 RUN chmod -R 770 $CATALINA_HOME/work
 RUN chmod -R 550 $CATALINA_HOME/webapps/

From eba74fbe415c83f1429d9a2b9cb8869efd9fd8f6 Mon Sep 17 00:00:00 2001
From: Myriam <iammyr@users.noreply.github.com>
Date: Wed, 2 Nov 2016 15:32:02 +0000
Subject: [PATCH 3/4] changed permission on the conf folder

---
 tomcat/content.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tomcat/content.md b/tomcat/content.md
index 1359f6e0ec83..3a7b2bef3422 100644
--- a/tomcat/content.md
+++ b/tomcat/content.md
@@ -61,7 +61,7 @@ RUN chown -R tomcat:tomcat $CATALINA_HOME/conf
 RUN chown -R tomcat:tomcat $CATALINA_HOME/logs
 RUN chown -R tomcat:tomcat $CATALINA_HOME/work
 RUN chmod 570 $CATALINA_HOME/bin/catalina.sh
-RUN chmod -R 400 $CATALINA_HOME/conf
+RUN chmod -R 500 $CATALINA_HOME/conf
 RUN chmod -R 300 $CATALINA_HOME/logs
 RUN chmod -R 770 $CATALINA_HOME/work
 RUN chmod -R 550 $CATALINA_HOME/webapps/

From 3e99a347971cfa337a1a175bf24ad792342b86be Mon Sep 17 00:00:00 2001
From: Myriam <iammyr@users.noreply.github.com>
Date: Wed, 2 Nov 2016 15:56:05 +0000
Subject: [PATCH 4/4] performance improvement

---
 tomcat/content.md | 52 ++++++++++++++++++-----------------------------
 1 file changed, 20 insertions(+), 32 deletions(-)

diff --git a/tomcat/content.md b/tomcat/content.md
index 3a7b2bef3422..eae6588fcb45 100644
--- a/tomcat/content.md
+++ b/tomcat/content.md
@@ -49,22 +49,16 @@ ADD target/*.war $CATALINA_HOME/webapps/
 
 Consider adding the following to your Dockerfile. These commands will harden the file permissions in order to prevent any eventually vulnerable application that runs on tomcat from tampering with tomcat itself.
 ```
-RUN rm -rf $CATALINA_HOME/webapps/*
-RUN rm -rf $CATALINA_HOME/server/webapps/*
-RUN rm -rf $CATALINA_HOME/conf/Catalina/localhost/host-manager.xml
-RUN rm -rf $CATALINA_HOME/conf/Catalina/localhost/manager.xml
-RUN groupadd tomcat
-RUN useradd -g tomcat tomcat
-RUN chown -R root:tomcat $CATALINA_HOME
-RUN chmod -R 550 $CATALINA_HOME
-RUN chown -R tomcat:tomcat $CATALINA_HOME/conf
-RUN chown -R tomcat:tomcat $CATALINA_HOME/logs
-RUN chown -R tomcat:tomcat $CATALINA_HOME/work
-RUN chmod 570 $CATALINA_HOME/bin/catalina.sh
-RUN chmod -R 500 $CATALINA_HOME/conf
-RUN chmod -R 300 $CATALINA_HOME/logs
-RUN chmod -R 770 $CATALINA_HOME/work
-RUN chmod -R 550 $CATALINA_HOME/webapps/
+RUN rm -rf $CATALINA_HOME/webapps/* && rm -rf $CATALINA_HOME/server/webapps/* && \
+  rm -rf $CATALINA_HOME/conf/Catalina/localhost/host-manager.xml && \
+  rm -rf $CATALINA_HOME/conf/Catalina/localhost/manager.xml && \
+  groupadd tomcat && useradd -g tomcat tomcat && \
+  chown -R root:tomcat $CATALINA_HOME && chmod -R 550 $CATALINA_HOME && \
+  chown -R tomcat:tomcat $CATALINA_HOME/conf && chown -R tomcat:tomcat $CATALINA_HOME/logs && \
+  chown -R tomcat:tomcat $CATALINA_HOME/work && chmod 570 $CATALINA_HOME/bin/catalina.sh && \
+  chmod -R 500 $CATALINA_HOME/conf && chmod -R 300 $CATALINA_HOME/logs && \
+  chmod -R 770 $CATALINA_HOME/work && chmod -R 550 $CATALINA_HOME/webapps/ && \
+  chmod -R 600 $CATALINA_HOME/temp
 ```
 As the last command within your Dockerfile add the following, in order to run Tomcat as the tomcat user rather than as root:
 ```
@@ -78,22 +72,16 @@ Dockerfile:
 ```
 FROM tomcat:8
 
-RUN rm -rf $CATALINA_HOME/webapps/*
-RUN rm -rf $CATALINA_HOME/server/webapps/*
-RUN rm -rf $CATALINA_HOME/conf/Catalina/localhost/host-manager.xml
-RUN rm -rf $CATALINA_HOME/conf/Catalina/localhost/manager.xml
-RUN groupadd tomcat
-RUN useradd -g tomcat tomcat
-RUN chown -R root:tomcat $CATALINA_HOME
-RUN chmod -R 550 $CATALINA_HOME
-RUN chown -R tomcat:tomcat $CATALINA_HOME/conf
-RUN chown -R tomcat:tomcat $CATALINA_HOME/logs
-RUN chown -R tomcat:tomcat $CATALINA_HOME/work
-RUN chmod 570 $CATALINA_HOME/bin/catalina.sh
-RUN chmod -R 500 $CATALINA_HOME/conf
-RUN chmod -R 300 $CATALINA_HOME/logs
-RUN chmod -R 770 $CATALINA_HOME/work
-RUN chmod -R 550 $CATALINA_HOME/webapps/
+RUN rm -rf $CATALINA_HOME/webapps/* && rm -rf $CATALINA_HOME/server/webapps/* && \
+  rm -rf $CATALINA_HOME/conf/Catalina/localhost/host-manager.xml && \
+  rm -rf $CATALINA_HOME/conf/Catalina/localhost/manager.xml && \
+  groupadd tomcat && useradd -g tomcat tomcat && \
+  chown -R root:tomcat $CATALINA_HOME && chmod -R 550 $CATALINA_HOME && \
+  chown -R tomcat:tomcat $CATALINA_HOME/conf && chown -R tomcat:tomcat $CATALINA_HOME/logs && \
+  chown -R tomcat:tomcat $CATALINA_HOME/work && chmod 570 $CATALINA_HOME/bin/catalina.sh && \
+  chmod -R 500 $CATALINA_HOME/conf && chmod -R 300 $CATALINA_HOME/logs && \
+  chmod -R 770 $CATALINA_HOME/work && chmod -R 550 $CATALINA_HOME/webapps/ && \
+  chmod -R 600 $CATALINA_HOME/temp
 
 USER tomcat
 ```