I want to know if you have any tips as to how to strengthen the security of a non-root install of Tomcat in standalone mode once Tomcat is already installed in a non-root account, in standalone mode.
I precise this because, for example, I'm not at all interested by the answers given here (because both Java and Tomcat requires root priviledges there to be installed and I've got zero interest in running jsvc):
What steps should I take to secure Tomcat 6.x?
So far, here's what I've done for my non-root standalone Tomcat 6 install:
download and install the JRE .bin provided by Oracle/Sun (no need to be root here) (no need for a full JDK anymore right seen that Jasper [Tomcat's JSP engine] has its own compiler now right?)
download and tar -xzf tomcat 6 (no need to be root here)
set up transparent port-forwarding (must be root here)
Note that my distribution is a Debian one and I have exactly zero interest in downloading Debian package / backports / whatever... Because, once again, I DO NOT want to need to be root to install Java & Tomcat. The only moment I needed to be root was to configure the firewall to transparently do the port forwarding 80 <--> 8080 and 443 <--> 8443.
I then deleted all the default webapps but one:
cd ~/apache-tomcat-6.0.26/webapps
rm -rf docs
rm -rf examples/
rm -rf manager/
rm -rf ROOT/
What about the directory ~/apache-tomcat-6.0.26/webapps/host-manager, do I need it or can I delete it?
I then commented this:
-->So, once I've installed Tomcat standalone in a non-root account (and taken into account that I don't want to enter the root password anymore and that I don't plan to install the whole Apache shebang), what more can I do?
Are there other things I can disable? (how?)
If you don't need any of the functionality of host-manager you can delete it.
You can secure the content by configuring Tomcat to run as a different user than the one which owns the files. This user will need to be able to write to the log directory and the working directory.
you could drop tomcat behind apache this would restrict the webapps which are available to people.