You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Nathan Ward <nr...@cox.net> on 2003/08/08 04:27:49 UTC
Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Hello John,
I hate to be pushy, but are you going to post a reply to this question at some point?
Nathan
----- Original Message -----
From: Nathan Ward
To: tomcat-user@johnturner.com ; Tomcat Users List
Sent: Monday, August 04, 2003 11:05 AM
Subject: Why integrate Tomcat with a web server?
I have a question for John Turner about a statement in the book Apache Tomcat Security.
Page 12 says:
"As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet."
Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows?
Nathan
Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
Posted by John Turner <to...@johnturner.com>.
Agreed.
John
Noel J. Bergman wrote:
> Nathan,
>
> There are many facets to the subject, but if all you don't mind running all
> of your domains in one process, have no need for load balancing, no need for
> non-Tomcat features, etc., then running Tomcat directly is probably fine.
> Historically (and structurally), Tomcat should prove more secure than an IIS
> frontend.
>
> --- Noel
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
Posted by John Turner <to...@johnturner.com>.
Agreed.
John
Noel J. Bergman wrote:
> Nathan,
>
> There are many facets to the subject, but if all you don't mind running all
> of your domains in one process, have no need for load balancing, no need for
> non-Tomcat features, etc., then running Tomcat directly is probably fine.
> Historically (and structurally), Tomcat should prove more secure than an IIS
> frontend.
>
> --- Noel
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
RE: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Posted by "Noel J. Bergman" <no...@devtech.com>.
Nathan,
There are many facets to the subject, but if all you don't mind running all
of your domains in one process, have no need for load balancing, no need for
non-Tomcat features, etc., then running Tomcat directly is probably fine.
Historically (and structurally), Tomcat should prove more secure than an IIS
frontend.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Posted by "Noel J. Bergman" <no...@devtech.com>.
Nathan,
There are many facets to the subject, but if all you don't mind running all
of your domains in one process, have no need for load balancing, no need for
non-Tomcat features, etc., then running Tomcat directly is probably fine.
Historically (and structurally), Tomcat should prove more secure than an IIS
frontend.
--- Noel
Re: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Posted by Nathan Ward <nr...@cox.net>.
True, but I don't have much static content and the Apache Tomcat Security
book is not making that point. I'm trying to determine whether or not it is
better to have a web server in front of Tomcat under Windows for security
reasons. The book seems to say that but it clearly describe why this
provides better security when running Tomcat under Windows.
Nathan
----- Original Message -----
From: "Rick Roberts" <te...@ait-web.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Thursday, August 07, 2003 11:02 PM
Subject: Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
> Because a web server serves static content (html, images, etc.) much
faster than
> tomcat will.
>
> Nathan Ward wrote:
> > Hello John,
> >
> > I hate to be pushy, but are you going to post a reply to this question
at some point?
> >
> > Nathan
> > ----- Original Message -----
> > From: Nathan Ward
> > To: tomcat-user@johnturner.com ; Tomcat Users List
> > Sent: Monday, August 04, 2003 11:05 AM
> > Subject: Why integrate Tomcat with a web server?
> >
> >
> > I have a question for John Turner about a statement in the book Apache
Tomcat Security.
> >
> > Page 12 says:
> > "As discussed earlier, running publicly available web services as root
or superuser is typically a bad idea, so the solution is to avoid using
Tomcat as a stand-alone web server on port 80 by integrating it with a
standard HTTP web server such as Apache, Microsoft's IIS, or Sun
Microsystem's iPlanet."
> >
> > Question: Does this apply when running under Windows? The reference to
"as discussed earlier" talks about running Tomcat as a service with more
permissions than necessary. Windows defaults to running services as SYSTEM
which has administrator privileges. Fine, but as also mentioned earlier, you
can create a user account with less permissions and setup the service to run
Tomcat under that account. So, how does the statement on page 12 relate to
running Tomcat under windows, i.e. why run Tomcat with IIS rather than just
run Tomcat? There may be performance reasons, but from a security point of
view, is there increased security risks in running Tomcat without IIS when
running as a service under Windows?
> >
> > Nathan
> >
>
> --
> *******************************************
> * Rick Roberts *
> * Advanced Information Technologies, Inc. *
> * http://www.ait-web.com *
> *******************************************
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
Re: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Posted by Nathan Ward <nr...@cox.net>.
True, but I don't have much static content and the Apache Tomcat Security
book is not making that point. I'm trying to determine whether or not it is
better to have a web server in front of Tomcat under Windows for security
reasons. The book seems to say that but it clearly describe why this
provides better security when running Tomcat under Windows.
Nathan
----- Original Message -----
From: "Rick Roberts" <te...@ait-web.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Thursday, August 07, 2003 11:02 PM
Subject: Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
> Because a web server serves static content (html, images, etc.) much
faster than
> tomcat will.
>
> Nathan Ward wrote:
> > Hello John,
> >
> > I hate to be pushy, but are you going to post a reply to this question
at some point?
> >
> > Nathan
> > ----- Original Message -----
> > From: Nathan Ward
> > To: tomcat-user@johnturner.com ; Tomcat Users List
> > Sent: Monday, August 04, 2003 11:05 AM
> > Subject: Why integrate Tomcat with a web server?
> >
> >
> > I have a question for John Turner about a statement in the book Apache
Tomcat Security.
> >
> > Page 12 says:
> > "As discussed earlier, running publicly available web services as root
or superuser is typically a bad idea, so the solution is to avoid using
Tomcat as a stand-alone web server on port 80 by integrating it with a
standard HTTP web server such as Apache, Microsoft's IIS, or Sun
Microsystem's iPlanet."
> >
> > Question: Does this apply when running under Windows? The reference to
"as discussed earlier" talks about running Tomcat as a service with more
permissions than necessary. Windows defaults to running services as SYSTEM
which has administrator privileges. Fine, but as also mentioned earlier, you
can create a user account with less permissions and setup the service to run
Tomcat under that account. So, how does the statement on page 12 relate to
running Tomcat under windows, i.e. why run Tomcat with IIS rather than just
run Tomcat? There may be performance reasons, but from a security point of
view, is there increased security risks in running Tomcat without IIS when
running as a service under Windows?
> >
> > Nathan
> >
>
> --
> *******************************************
> * Rick Roberts *
> * Advanced Information Technologies, Inc. *
> * http://www.ait-web.com *
> *******************************************
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
Posted by Rick Roberts <te...@ait-web.com>.
Because a web server serves static content (html, images, etc.) much faster than
tomcat will.
Nathan Ward wrote:
> Hello John,
>
> I hate to be pushy, but are you going to post a reply to this question at some point?
>
> Nathan
> ----- Original Message -----
> From: Nathan Ward
> To: tomcat-user@johnturner.com ; Tomcat Users List
> Sent: Monday, August 04, 2003 11:05 AM
> Subject: Why integrate Tomcat with a web server?
>
>
> I have a question for John Turner about a statement in the book Apache Tomcat Security.
>
> Page 12 says:
> "As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet."
>
> Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows?
>
> Nathan
>
--
*******************************************
* Rick Roberts *
* Advanced Information Technologies, Inc. *
* http://www.ait-web.com *
*******************************************
Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
Posted by John Turner <to...@johnturner.com>.
Answered on 08/05/2003, 11:00 AM Eastern.
If you want to address me, I suggest putting something in the subject
line or sending me a message off-list.
A subject line of "why integrate with a web server" is a FAQ that I
would normally ignore.
John
Nathan Ward wrote:
> Hello John,
>
> I hate to be pushy, but are you going to post a reply to this question at some point?
>
> Nathan
> ----- Original Message -----
> From: Nathan Ward
> To: tomcat-user@johnturner.com ; Tomcat Users List
> Sent: Monday, August 04, 2003 11:05 AM
> Subject: Why integrate Tomcat with a web server?
>
>
> I have a question for John Turner about a statement in the book Apache Tomcat Security.
>
> Page 12 says:
> "As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet."
>
> Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows?
>
> Nathan
>
Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
Posted by John Turner <to...@johnturner.com>.
That's cool, I was referring more to the second message about being
"pushy". ;)
John
Nathan Ward wrote:
> Sorry about that John. I must have missed your reply. I'm still figuring out
> how to effectively use the mailing lists. I wanted to direct the message to
> you, but I thought it would be useful to others so I wanted to post it here
> rather than sending it only to you.
>
> Nathan
>
> ----- Original Message -----
> From: "John Turner" <to...@johnturner.com>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Friday, August 08, 2003 9:35 AM
> Subject: Re: Can I get an answer please -- Re: Why integrate Tomcat with a
> web server?
>
>
>
>>I did, last week.
>>
>>In any case, if you have something to ask me directly, you can send me a
>>message off-list.
>>
>>John
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
Posted by John Turner <to...@johnturner.com>.
That's cool, I was referring more to the second message about being
"pushy". ;)
John
Nathan Ward wrote:
> Sorry about that John. I must have missed your reply. I'm still figuring out
> how to effectively use the mailing lists. I wanted to direct the message to
> you, but I thought it would be useful to others so I wanted to post it here
> rather than sending it only to you.
>
> Nathan
>
> ----- Original Message -----
> From: "John Turner" <to...@johnturner.com>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Friday, August 08, 2003 9:35 AM
> Subject: Re: Can I get an answer please -- Re: Why integrate Tomcat with a
> web server?
>
>
>
>>I did, last week.
>>
>>In any case, if you have something to ask me directly, you can send me a
>>message off-list.
>>
>>John
>>
Re: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Posted by Nathan Ward <nr...@cox.net>.
Sorry about that John. I must have missed your reply. I'm still figuring out
how to effectively use the mailing lists. I wanted to direct the message to
you, but I thought it would be useful to others so I wanted to post it here
rather than sending it only to you.
Nathan
----- Original Message -----
From: "John Turner" <to...@johnturner.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Friday, August 08, 2003 9:35 AM
Subject: Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
>
> I did, last week.
>
> In any case, if you have something to ask me directly, you can send me a
> message off-list.
>
> John
>
> Nathan Ward wrote:
>
> > Hello John,
> >
> > I hate to be pushy, but are you going to post a reply to this question
at some point?
> >
> > Nathan
> > ----- Original Message -----
> > From: Nathan Ward
> > To: tomcat-user@johnturner.com ; Tomcat Users List
> > Sent: Monday, August 04, 2003 11:05 AM
> > Subject: Why integrate Tomcat with a web server?
> >
> >
> > I have a question for John Turner about a statement in the book Apache
Tomcat Security.
> >
> > Page 12 says:
> > "As discussed earlier, running publicly available web services as root
or superuser is typically a bad idea, so the solution is to avoid using
Tomcat as a stand-alone web server on port 80 by integrating it with a
standard HTTP web server such as Apache, Microsoft's IIS, or Sun
Microsystem's iPlanet."
> >
> > Question: Does this apply when running under Windows? The reference to
"as discussed earlier" talks about running Tomcat as a service with more
permissions than necessary. Windows defaults to running services as SYSTEM
which has administrator privileges. Fine, but as also mentioned earlier, you
can create a user account with less permissions and setup the service to run
Tomcat under that account. So, how does the statement on page 12 relate to
running Tomcat under windows, i.e. why run Tomcat with IIS rather than just
run Tomcat? There may be performance reasons, but from a security point of
view, is there increased security risks in running Tomcat without IIS when
running as a service under Windows?
> >
> > Nathan
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
Re: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Posted by Nathan Ward <nr...@cox.net>.
Sorry about that John. I must have missed your reply. I'm still figuring out
how to effectively use the mailing lists. I wanted to direct the message to
you, but I thought it would be useful to others so I wanted to post it here
rather than sending it only to you.
Nathan
----- Original Message -----
From: "John Turner" <to...@johnturner.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Friday, August 08, 2003 9:35 AM
Subject: Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
>
> I did, last week.
>
> In any case, if you have something to ask me directly, you can send me a
> message off-list.
>
> John
>
> Nathan Ward wrote:
>
> > Hello John,
> >
> > I hate to be pushy, but are you going to post a reply to this question
at some point?
> >
> > Nathan
> > ----- Original Message -----
> > From: Nathan Ward
> > To: tomcat-user@johnturner.com ; Tomcat Users List
> > Sent: Monday, August 04, 2003 11:05 AM
> > Subject: Why integrate Tomcat with a web server?
> >
> >
> > I have a question for John Turner about a statement in the book Apache
Tomcat Security.
> >
> > Page 12 says:
> > "As discussed earlier, running publicly available web services as root
or superuser is typically a bad idea, so the solution is to avoid using
Tomcat as a stand-alone web server on port 80 by integrating it with a
standard HTTP web server such as Apache, Microsoft's IIS, or Sun
Microsystem's iPlanet."
> >
> > Question: Does this apply when running under Windows? The reference to
"as discussed earlier" talks about running Tomcat as a service with more
permissions than necessary. Windows defaults to running services as SYSTEM
which has administrator privileges. Fine, but as also mentioned earlier, you
can create a user account with less permissions and setup the service to run
Tomcat under that account. So, how does the statement on page 12 relate to
running Tomcat under windows, i.e. why run Tomcat with IIS rather than just
run Tomcat? There may be performance reasons, but from a security point of
view, is there increased security risks in running Tomcat without IIS when
running as a service under Windows?
> >
> > Nathan
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
Posted by John Turner <to...@johnturner.com>.
I did, last week.
In any case, if you have something to ask me directly, you can send me a
message off-list.
John
Nathan Ward wrote:
> Hello John,
>
> I hate to be pushy, but are you going to post a reply to this question at some point?
>
> Nathan
> ----- Original Message -----
> From: Nathan Ward
> To: tomcat-user@johnturner.com ; Tomcat Users List
> Sent: Monday, August 04, 2003 11:05 AM
> Subject: Why integrate Tomcat with a web server?
>
>
> I have a question for John Turner about a statement in the book Apache Tomcat Security.
>
> Page 12 says:
> "As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet."
>
> Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows?
>
> Nathan
>
Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
Posted by John Turner <to...@johnturner.com>.
Answered on 08/05/2003, 11:00 AM Eastern.
If you want to address me, I suggest putting something in the subject
line or sending me a message off-list.
A subject line of "why integrate with a web server" is a FAQ that I
would normally ignore.
John
Nathan Ward wrote:
> Hello John,
>
> I hate to be pushy, but are you going to post a reply to this question at some point?
>
> Nathan
> ----- Original Message -----
> From: Nathan Ward
> To: tomcat-user@johnturner.com ; Tomcat Users List
> Sent: Monday, August 04, 2003 11:05 AM
> Subject: Why integrate Tomcat with a web server?
>
>
> I have a question for John Turner about a statement in the book Apache Tomcat Security.
>
> Page 12 says:
> "As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet."
>
> Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows?
>
> Nathan
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
Posted by Rick Roberts <te...@ait-web.com>.
Because a web server serves static content (html, images, etc.) much faster than
tomcat will.
Nathan Ward wrote:
> Hello John,
>
> I hate to be pushy, but are you going to post a reply to this question at some point?
>
> Nathan
> ----- Original Message -----
> From: Nathan Ward
> To: tomcat-user@johnturner.com ; Tomcat Users List
> Sent: Monday, August 04, 2003 11:05 AM
> Subject: Why integrate Tomcat with a web server?
>
>
> I have a question for John Turner about a statement in the book Apache Tomcat Security.
>
> Page 12 says:
> "As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet."
>
> Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows?
>
> Nathan
>
--
*******************************************
* Rick Roberts *
* Advanced Information Technologies, Inc. *
* http://www.ait-web.com *
*******************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Can I get an answer please -- Re: Why integrate Tomcat with a
web server?
Posted by John Turner <to...@johnturner.com>.
I did, last week.
In any case, if you have something to ask me directly, you can send me a
message off-list.
John
Nathan Ward wrote:
> Hello John,
>
> I hate to be pushy, but are you going to post a reply to this question at some point?
>
> Nathan
> ----- Original Message -----
> From: Nathan Ward
> To: tomcat-user@johnturner.com ; Tomcat Users List
> Sent: Monday, August 04, 2003 11:05 AM
> Subject: Why integrate Tomcat with a web server?
>
>
> I have a question for John Turner about a statement in the book Apache Tomcat Security.
>
> Page 12 says:
> "As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet."
>
> Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows?
>
> Nathan
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org