Server Bundle Host Security
When installing the server bundle, you will likely want to take steps to secure the installed directories and files so that unauthorized users on the machine do not have access to sensitive information.
You will likely want to create a system user specifically for running the server. This is recommended but not required. If you do, you should change the permissions on the installation directory and all of its included files and directories so that only this user has access to them.
You should change the Tomcat shutdown password from its default (
<Server port="8005" shutdown="SHUTDOWN">
If necessary, change the permissions on
so that only the user running Tomcat can read and write the file.
Even if you choose not to set draconian permissions for the entire installation, you will want to protect your data store. The embedded Derby database is configured by default to store all content on the local filesystem, which could be inspected by external tools while the server is offline. Thus, if the data store is accessible to arbitrary users, they will be able to read data that is otherwise access-restricted.
The best policy is to change the permissions for the
directory and all of its contents so that only the user running Tomcat can read and write them.