How to Configure Tomcat and Enable RECYCLE_FACADES
searchcancel
How to Configure Tomcat and Enable RECYCLE_FACADES
book
Article ID: 219611
calendar_today
Updated On: 03-21-2025
Products
Spectrum
Issue/Introduction
For secure sites, tomcat servers are required to have RECYCLE_FACADES enabled
Finding ID
Version
Rule ID
IA Controls
Severity
V-223002
TCAT-AS-001660
SV-223002r615938_rule
Low
STRICT_SERVLET_COMPLIANCE must be set to true. (stigviewer.com)
Rule Title: RECYCLE_FACADES must be set to true.
Discussion: If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a bug in an application might expose data from one request to another. This setting is configured using environment variable settings. For Linux OS flavors other than Ubuntu, use the relevant OS commands. For Ubuntu, this setting can be managed in the /etc/systemd/system/tomcat.service file via the CATALINA_OPTS variable. This setting is defined in the file and referenced during Tomcat startup in order to load Tomcat environment variables.
Technically, the tomcat.service referenced in the check and fix could be called a different name, for STIG purposes and to provide a standard setting that can be referred to and obviously is used for Tomcat, tomcat.service was chosen.
Check Text: From the Tomcat server as a privileged user, run the following command:
The tomcat STIG cases will be evaluated for the Q4CY21 NetOps release. In the meantime provided manual steps to enable RECYCLE_FACADES mode on tomcat.
Note: Enabling this configuration will have some impact on Spectrum Webserver Performance. By default, this value is considered false and generally, Tomcat will recycle and reuse facade objects between requests (essentially replacing the object's fields and reusing it, instead of letting it be cleaned by the GC). This might have some implications on information exchange between requests. If this is set to true or if a security manager is in use a new facade object will be created for each request. The primary disadvantage of setting org.apache.catalina.connector.RECYCLE_FACADES=true is performance.