InformationThe Tomcat configuration file web.xml stores application configuration settings. It is recommended that access to this file properly protect from unauthorized changes.
Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat's security policy.
SolutionPerform the following to restrict access to web.xml:
Set the ownership of the $CATALINA_HOME/conf/web.xml to tomcat_admin:tomcat.
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/web.xml
Set the permissions for the $CATALINA_HOME/conf/web.xml file to 400.
# chmod 400 $CATALINA_HOME/conf/web.xml
The default permissions of web.xml are 400.