You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tiago Ferraz Machado <tf...@cpqd.com.br> on 2003/03/27 19:10:54 UTC
Apache vs. Tomcat
Hi,
I know that, for a more secure enviroment, we should use Apache integrated with Tomcat. What I need is some kind of paper or web page explaining that.
Does anyone know something like it ??
Thanks,
Tiago.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Apache vs. Tomcat
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Thu, 27 Mar 2003, Tiago Ferraz Machado wrote:
> Date: Thu, 27 Mar 2003 15:10:54 -0300
> From: Tiago Ferraz Machado <tf...@cpqd.com.br>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: Apache vs. Tomcat
>
> Hi,
>
> I know that, for a more secure enviroment, we should use Apache
> integrated with Tomcat. What I need is some kind of paper or web page
> explaining that.
>
> Does anyone know something like it ??
>
I do not buy the underlying assumption that this is necessary strictly for
a "more secure environment". It is quite feasible to set up a secure
Tomcat standalone environment (and, in fact, one could argue that this is
likely to be more secure because it's not written in C, and therefore not
vulnerable to the typical buffer overflow type attacks).
The most important security-related thing about Tomcat standalone is if
you need your app to run on a privileged port (<1024). Right now, that
would mean having to run Tomcat as the root user, which is a very bad
thing, or you can set up some sort of port forwarding.
Note that I am *not* saying Apache is insecure -- it's not. But you
should not make the assumption that Tomcat standalone is any *less* secure
without some sort of proof, and the reported security vulnerabilities
against the two (over the last few years) would lead you to the opposite
conclusion.
> Thanks,
>
> Tiago.
>
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org