Can i place a manually extracted war in tomcat instead of deployOnStartup=true. Is it proper to have already extracted war files in tomcat

Question

I added deployOnStartup="true" in the tomcat server.xml. But it is recommended to have deployOnStartup="false" due to security issue as keeping it true allows malicious or untested applications to be deployed and so it should be disabled. What is the issue with keeping the extracted war files in the webapps directly, without having to extract each time.

Answer 1

I think you misunderstand what deployOnStartup does. There are 4 ways to add a web application to Tomcat:

1. Configure a <Context> element inside a <Host> element in conf/server.xml . Any change to the <Context> element will require a server restart,
2. Add an <application-name>.xml file to the host's configBase directory ( conf/Catalina/<host-name> ),
3. Add a WAR file to the host's appBase directory (usually webapps ),
4. Add a directory to the host's appBase directory.

There is no difference between 3 and 4.

If you set deployOnStartup="false" and autoDeploy="false" , web applications defined using 2, 3 and 4 will not be deployed. You'll need to manually deploy them through JMX or Tomcat Manager after each server restart. If you leave autoDeploy="true" (default value), web applications from points 2, 3 and 4 will not be deployed at startup, but a few seconds later, when Tomcat scans for changes in the applications.

From a security perspective deployOnStartup="false" is an extreme solution, as it forces you to define everything inside server.xml . You can obtain a similar effect by:

• making the entire conf directory writable by the administrator only and readable by the system user running Tomcat,
• making the webapps directory writable by the administrator and Tomcat user only. If you make it writable by the administrator only, you'll need to set unpackWARs="false" and you will not be able to deploy new WARs using Tomcat Manager.