There are a number of security considerations for running Tomcat (indeed, for any web server). The documentation at OWASP and the Tomcat security docs do a pretty good job of outlining the major considerations.
One frequently mentioned best practice is that your web server should not be run as root and should instead be run as a non-privileged user. However, programs run with non-root privileges can’t bind to lower standard ports (below 1024), and we would generally like to serve our site on the standard ports (like 80 and 443).
Since tomcat should be run without elevated privileges, and access to port 80 requires elevated privileges, we need to resolve this issue. There’s no single best way per se on how to do this, you need to understand the options and make the most suitable choice for your situation.
Here are some options arranged (in my opinion) by ease of use, with caveats as sub-points. Note that this presumes Tomcat on Linux.
- Use authbind to enable a non root user to bind to ports below 1024. This solves the problem very directly and it is available on Ubuntu with sudo apt-get install authbind.
- Caveat: Available only on debian linuxes
- Caveat: Doesn’t work with ipv6
- Use firewall software on the host to configure port forwarding.
- Run Tomcat as root, but in a chroot jail
- Use setcap to set capabilities
- Caveat: Doesn’t work if starting from a script (starting with #!)
- Caveat: JDK 1.6 did not work when using capabilities, but it works with JDK 1.7
- Use Apache running on port 80 and AJP to send requests to Tomcat. Using Apache would probably be a better choice if you have other reasons for choosing it like serving static content or load balancing.
- Caveat: need to set up Apache if you haven’t already
- Caveat: with virtual hosts that share an ip address you need to set up SNI (which might not have a full browser support)
- Port forwarding with iptables
- Caveat: NAT is not supported in ip6tables (IPv6 version of iptables)