配置版本:tomcat6
1,虛擬路徑,可以配置多個host在一個tomcat中,docbase是web應用目錄,此處在server.xml中添加應用配置,要讓server.xml配置生效需要重啟tomcat
<Host name="XXXXx" appBase="D:\webroot"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="/" reloadable="true" docBase="D:\webroot\xxx\WebRoot\" />
</Host>
2,禁用不需要的http方法,一般禁用delete,put,默認情況tomcat禁止了delete,put,訪問返回403-forbiden,此處在web.xml的<web-app>中添加如下禁用配置,
要讓web.xml配置生效需要重啟tomcat
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
3,啟用安全cookie,防止xss跨站點攻擊,tomcat6開始支持此屬性,此處在context.xml中添加啟用配置,context.xml配置即調用時生效不需要重啟tomcat
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
<Context useHttpOnly="true">
4,修改tomcat版本信息,防泄漏:
1)進入apache-tomcat目錄lib下,找到catalina.jar,使用壓縮工具依次找到org\apache\catalina\util下的ServerInfo.properties
打開ServerInfo.properties編輯:(去掉版本信息)如下
server.info=Apache Tomcat
server.number=
server.built=
2)設置web.xml的error-page,指定返回頁面。此處可在應用中配置,應用中配置則只在當前應用生效。
<error-page>
<error-code>500</error-code>
<location>/500.html</location>
</error-page>