Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can tomcat be configured to only load signed jars

I have a client who has asked about signing tomcat components as well as the different jars in our application. Basically they want to prevent anyone from just dropping in a jar file, restarting tomcat and creating a security issue.

My question is, can tomcat be configured so that when it loads jar files it verifies they have been signed by a particular certificate and if not prevent tomcat from starting?

like image 604
Matt Mulligan Avatar asked Feb 19 '14 16:02

Matt Mulligan


1 Answers

Tomcat itself does not provide this functionality. However, as a workaround, you could work with your client to have a DMZ server or a location on their server which you can drop off files. Then they can have a job scheduler run a batch script (on windows) or shell script (on linux/unix platform) to check the newly arrived files/jar files using the jarsigner tool. if the files pass the test then they can be moved to Deploy directory of tomcat otherwise an email should go out to server administers about this unsigned file.

example of command :

jarsigner -verify jar-file

http://docs.oracle.com/javase/tutorial/deployment/jar/verify.html

like image 50
grepit Avatar answered Oct 21 '22 17:10

grepit