Documentation for JIRA 4.4. Documentation for other versions of JIRA is available too.
The following outlines some basic techniques to secure an Apache Tomcat instance. This is a basic must-do list and should not be considered comprehensive. For more advanced security topics see the "Further Information" section below.
Tomcat should never be run as a privileged user (root on UNIX or Admistrator or Local System on Windows).
Tomcat should be run as a low-privilege user. Ideally it should be run as a user created only for the purpose of running one application.
In practice this means you can't run it on port 80. If you need to run Tomcat on port 80, you should put it behind a webserver such as Apache; see Integrating JIRA with Apache for an example configuration.
sudo adduser jira-tomcat
sudo -u jira-tomcat ${CATALINA_HOME}/bin/catalina.sh run
The Tomcat installation directory (sometimes referred to as CATALINA_HOME) should be installed as a user that is different to the one it will be run as. Under Linux, unpacking the Tomcat distribution as root is the simplest method of doing this.
Unfortunately, Tomcat does require write access to some directories in the distribution directory, but they should be enabled only as needed.
Tomcat ships with some default admin applications in its webapps directory. Unless you need these they should be disabled.
sudo tar xzvf apache-tomcat-6.0.20.tar.gz
sudo rm -rf apache-tomcat-6.0.20/webapps/*
sudo chmod -R go-w apache-tomcat-6.0.20
cd apache-tomcat-6.0.20/; sudo chown -R jira-tomcat work/ temp/ logs/
Note: If your host is part of a Domain/Active Directory, consult your Windows system administrator sysadmins to get the right permissions.
work, temp
and logs
directories need write and delete access for the Tomcat user. Make sure it does not have permissions to change permission or take ownership.The directory you unpack the application WAR into should not be writable by the Tomcat user (i.e. jira-tomcat
in the examples above). Again, the simplest method to do this is to unpack the WAR as root.
sudo unzip confluence-webapp-3.2.war