Application Security

Application security protects the JasperReports Server web application from unwarranted changes, malicious intrusions, and malware. This chapter explains measures you can take in order to provide such protection on the Tomcat server. These measures do not offer 100% protection—no measures can guarantee that except possibly pulling the plug—but they do create an acceptable level of protection, and they are a foundation upon which more thorough measures can be built.

The JasperReports Server Administrator Guide contains important information about configuration settings for security. Apply those security settings to the server before applying the following settings to the application server.

What follows is not a complete tutorial on securing your web application. To do so would take volumes. Instead, we have written instructions on the basic components of a secure Tomcat environment; we also added related code in the default installation. These additions demonstrate the basic procedures you should follow, but you may have to adapt the procedures to your installation.

The example instructions in this chapter apply only to the indicated versions of Tomcat. They have not been tested on any other server. We offer them as a useful model for implementing security on your server, regardless of its type.

Additional measures that you might take include disabling unnecessary applications and resources, encrypting usernames and passwords, closing unused ports, and avoiding memory leaks.

The tutorials assume the following system configuration:

JasperReports Server 5.5
Apache Tomcat 7
Web App Deployed Name: jasperserver

For more information on the components of a secure environment, see the OpenSSL web site and the Java documentation.

The chapter includes the following sections:

Using SSL in the Web Server
Disabling Unused HTTP Verbs
Setting the Secure Flag on Cookies
Setting httpOnly for Cookies
Using a Protection Domain Infrastructure
Encrypting Passwords in URLs