{"id":19336774,"url":"https://github.com/samrocketman/docker-tomcat","last_synced_at":"2026-03-19T09:20:43.456Z","repository":{"id":145441988,"uuid":"565183978","full_name":"samrocketman/docker-tomcat","owner":"samrocketman","description":"A minimal security hardened Docker based Tomcat","archived":false,"fork":false,"pushed_at":"2022-11-14T02:24:42.000Z","size":67,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-11-16T21:05:56.055Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/samrocketman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-12T15:49:30.000Z","updated_at":"2024-12-02T11:01:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"a64c9774-d3a0-48fa-814c-8508f321cf1e","html_url":"https://github.com/samrocketman/docker-tomcat","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/samrocketman/docker-tomcat","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fdocker-tomcat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fdocker-tomcat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fdocker-tomcat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fdocker-tomcat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/samrocketman","download_url":"https://codeload.github.com/samrocketman/docker-tomcat/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fdocker-tomcat/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29913918,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T19:37:42.220Z","status":"ssl_error","status_checked_at":"2026-02-27T19:37:41.463Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T03:12:24.877Z","updated_at":"2026-02-27T21:08:22.477Z","avatar_url":"https://github.com/samrocketman.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hardened minimal tomcat\n\nMinimal tomcat container based on alpine meant for production use.  TLS is\nassumed to be provided externally by a load balancer.\n\n- [Best practices](#best-practices)\n- [Tomcat base image](#tomcat-base-image)\n- [Application deployment](#application-deployment)\n  - [Example Application Dockerfile](#example-application-dockerfile)\n  - [Security Manager on by default](#security-manager-on-by-default)\n  - [Debug security manager](#debug-security-manager)\n  - [Disable Security Manager](#disable-security-manager)\n- [Logging](#logging)\n- [Filesystem layout](#filesystem-layout)\n- [WebApp example](#webapp-example)\n\n# Best practices\n\n- Tomcat 9 running on openjdk11\n  - JRE by default but JDK available by Docker build arg.\n  - Configuration split between `CATALINA_HOME` and `CATALINA_BASE`.\n- Docker practices\n  - Minimal alpine image.\n    - Final image size is 187MB.\n    - Compatible with both AMD64 and ARM architectures.\n  - PID 1 init program to handle process signals and child processes.\n  - Application starts as a normal system user instead of `root`.\n  - Web server starts in foreground.\n  - Web server logs to stdout and stderr to be handled by Docker instead of\n    writing logs to disk.\n- Security hardened\n  - CIS Apache Tomcat 9 Benchmark; v1.1.0 - 12-18-2020\n  - Default tomcat apps removed.\n  - Tomcat security manager enabled with a sane initial security policy.\n  - Access restricted to tomcat user for configuration files\n  - `unpackWARs` and `autoDeploy` is disabled.\n  - Printing stack traces on error is disabled.\n  - TRACE HTTP method disabled.\n  - LockOutRealm is configured.\n  - Shutdown port is disabled.\n  - Shutdown command is randomized on boot.\n  - Connector security configured for HTTP\n  - Autodeployment on startup is disabled and `/webapps/ROOT` is defined for\n    manual deployment context in `server.xml`.\n  - Connection timeout set to 60 seconds.\n\n\n# Tomcat base image\n\nThe tomcat base image can be viewed in [`Dockerfile`](Dockerfile).\n\n    docker build -t tomcat .\n\n# Application deployment\n\n* `/webapps/ROOT` - Extract your application WAR here.\n* `/data` - If your app requires persistent data then `/data` is the location\n  assumed.\n\nSecurity policy grants your app unconstrained access to the following locations.\n\n```\n/data\n/dev/shm\n/home/tomcat\n/tmp\n/var/tmp\n/webapps/ROOT\n```\n\nOther locations will require a policy update.\n\nModify JVM behavior through the following environment variables.\n\n* `CATALINA_OPTS`\n* `JAVA_OPTS`\n\n### Example Application Dockerfile\n\nAn example [application Dockerfile](example/Dockerfile) has also been provided.\n\nDue to hardening automatic application deployment is disabled.  You must extract\nyour war files as part of Docker image building.\n\n\u003e Note: The application Dockerfile uses `java xf *.war` to extract an\n\u003e application into `/webapps/ROOT`.  This folder is the ROOT context for tomcat.\n\n### Security Manager on by default\n\nIt is recommended to keep tomcat security hardening in place.  By default a very\nbroad policy is applied which allows most actions within reason.\n\nIf you wish to overwrite this policy then overwrite the following policy file in\nthe tomcat container.\n\n* [`/tomcat/conf/catalina.policy`](tomcat-base/conf/catalina.policy) (see also [Tomcat\ndocs][tomcat-security]).\n\n### Debug security manager\n\nYou can enable more debug logs for security manager with the following\nenvironment variable.\n\n    docker run -e CATALINA_OPTS=-Djava.security.debug=access ...\n\n### Disable Security Manager\n\nIf you want to disable sandboxing entirely you can add the following line to the\nend of your [application Dockerfile](example/Dockerfile) removing `-security`\noption.\n\n```dockerfile\nCMD [\"/opt/tomcat/bin/catalina.sh\", \"run\"]\n```\n\n# Logging\n\nAll logs should push to stdout.\n\nIf your application has special logging enabled, then don't write to a file.\nInstead, write the log to stdout and add a log prefix to differentiate instead.\n\n* Logs with no prefix are assumed to be tomcat and its deployed application.\n* Access logs are prefixed with `ACCESS:` followed by standard tomcat format.\n\nFor a `stdout` example, see `AccessLogValve` in\n[`/tomcat/conf/server.xml`](tomcat-base/conf/server.xml).\n\n# Filesystem layout\n\nA filesystem layout has been generated highlighting the parts for tomcat\nexcluding Java.\n\nSee [filesystem-layout.txt](example/filesystem-layout.txt)\n\n```bash\ndocker run -u root tomcat /bin/sh -c \\\n  'apk add --no-cache tree \u0026\u003e /dev/null; \\\n      rm -rf /var/cache/*; \\\n      tree /home/tomcat /tmp /var/cache /var/tmp /webapps /tomcat /opt/tomcat' \\\n  \u003e example/filesystem-layout.txt\n```\n\n# WebApp example\n\nYou can try this out with Jenkins.  At the root of this repository download\nJenkins.\n\n    curl -sSfLO https://get.jenkins.io/war-stable/2.361.3/jenkins.war\n\nBuild all prerequisite docker images.\n\n    docker build --build-arg java=jdk --build-arg all=true -t tomcat .\n    docker build -t sample -f example/Dockerfile .\n\nRun Jenkins webapp in hardened tomcat container.\n\n```bash\nmkdir ../jenkins_home\nJENKINS_HOME=\"$(cd ../jenkins_home; pwd)\"\ndocker run -v \"${JENKINS_HOME}:/data \\\n  -e JENKINS_HOME=/jenkins --rm -p 8080:8080 sample\n```\n\nVisit http://localhost:8080/ to see your example app running.  Use `CTRL+C` to\nexit.\n\n[tomcat-security]: https://tomcat.apache.org/tomcat-9.0-doc/security-manager-howto.html\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamrocketman%2Fdocker-tomcat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsamrocketman%2Fdocker-tomcat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamrocketman%2Fdocker-tomcat/lists"}