I have a client who has asked about signing tomcat components as well as the different jars in our application. Basically they want to prevent anyone from just dropping in a jar file, restarting tomcat and creating a security issue.
My question is, can tomcat be configured so that when it loads jar files it verifies they have been signed by a particular certificate and if not prevent tomcat from starting?
Tomcat itself does not provide this functionality. However, as a workaround, you could work with your client to have a DMZ server or a location on their server which you can drop off files. Then they can have a job scheduler run a batch script (on windows) or shell script (on linux/unix platform) to check the newly arrived files/jar files using the jarsigner tool. if the files pass the test then they can be moved to Deploy directory of tomcat otherwise an email should go out to server administers about this unsigned file.
example of command :
jarsigner -verify jar-file
http://docs.oracle.com/javase/tutorial/deployment/jar/verify.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With