You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bárbara Vieira <ba...@di.uminho.pt> on 2008/01/08 12:13:34 UTC
Why use a Web Server over Tomcat?
Hi there!
Im making a research about internet banking and e-commerce good practices
to design a secure system.
I have an application based on servlets running in a Tomcat Server. My
application provides secure authentication based in both methods: SSL mutual
authentication and form authentication(supplied by Tomcat). All the data
that is sent over the network are encrypted(SSL).
In my research I discovered that some systems banks that using applications
based on servlets( or something based on servlets, like JSP and other
things), are using a Web Server like ISS, over a Servlet Container( like Sun
Web Server, or possibly Tomcat Server). Why thats happen? Why we have a Web
Server over another Web Server, if the low-level Web Server is capable to do
everything alone?
In my application, client authentication and authorization is controlled by
Tomcat Server. Should use I a Apache Server over Tomcat or an IIS server
over Tomcat? What kind of security am I providing doing this?
My research is in the beginning and the documentation about it is vague, so
I apologize if Im saying something wrong.
Regards,
Bárbara Vieira
RE: Why use a Web Server over Tomcat?
Posted by Bárbara Vieira <ba...@di.uminho.pt>.
Hi Mikolaj!
Thanks for your help. But my question isn't just about design a DMZ. It's
much more. And answering your question: yes, google is not enough. There are
certain questions that google doesn't answer.
Regards,
Bárbara Vieira
-----Original Message-----
From: Mikolaj Rydzewski [mailto:miki@ceti.pl]
Sent: quinta-feira, 10 de Janeiro de 2008 14:59
To: Tomcat Users List
Subject: Re: Why use a Web Server over Tomcat?
Bárbara Vieira wrote:
> David, imagine that you are developing a web application to provide
services
> like internet banking. What network architecture would you propose? How
will
> you implement a DMZ? Probably you put a firewall between Web Server and
> Database Server!! Or not?
>
Am I right that google is not enough for you?
http://www.google.com/search?q=how+to+design+dmz
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why use a Web Server over Tomcat?
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
Bárbara Vieira wrote:
> David, imagine that you are developing a web application to provide services
> like internet banking. What network architecture would you propose? How will
> you implement a DMZ? Probably you put a firewall between Web Server and
> Database Server!! Or not?
>
Am I right that google is not enough for you?
http://www.google.com/search?q=how+to+design+dmz
--
Mikolaj Rydzewski <mi...@ceti.pl>
RE: Why use a Web Server over Tomcat?
Posted by Bárbara Vieira <ba...@di.uminho.pt>.
Hi everyone!
David, imagine that you are developing a web application to provide services
like internet banking. What network architecture would you propose? How will
you implement a DMZ? Probably you put a firewall between Web Server and
Database Server!! Or not?
Regards,
Bárbara Vieira
-----Original Message-----
From: David Smith [mailto:dns4@cornell.edu]
Sent: quarta-feira, 9 de Janeiro de 2008 18:35
To: Tomcat Users List
Subject: Re: Why use a Web Server over Tomcat?
In my CISSP training, we covered the possiblity of putting a web server
in between two firewalls. The outer one cleans the course junk out of
the data stream like denial of service attacks, web server compromise
attackes, malformed packets, as well as closing down server services
that should be available to the company, but not the public. The inner
one is more fine grained possibly protecting company data assets from
disclosure or blocking unapproved websites from being accessed by employees.
Just trying to say there is a business case for two firewalls -- it has
more to do with protecting company assets than protecting the web server.
--David
Bárbara Vieira wrote:
>Alan and Johnny,
>I agree with Alan. I'm using the same scheme to save passwords in database,
>and SSL too.
>But, Johnny's answer help me understand some things.
>Johnny, when you say:
>
>
>>So in those organization Tomcat is probably behind the second internal
>>
>>
>firewall
>
>
>>for staff to use as well.
>>
>>
>What do you mean? If you have a Tomcat inside a DMZ, usually we have one
>firewall, that separates internet from intranet, i.e., the firewall filters
>requests that comes from de outside. Isn't that?
>
>Thanks,
>Regards,
>Bárbara Vieira
>
>
>-----Original Message-----
>From: Alan Chaney [mailto:alan@compulsivecreative.com]
>Sent: quarta-feira, 9 de Janeiro de 2008 14:10
>To: Tomcat Users List
>Subject: Re: Why use a Web Server over Tomcat?
>
>
>
>
>>One reason for doing this, is again not whether IIS or APACHE is better
>>although APACHE on linux in the
>>hands of a guru is very good, its because Tomcat carries clear text
>>passwords, so if a hacker did
>>get at the machine, they would probably see the Active X LDAP master
>>password,
>>
>>
>
>I don't understand this comment at all. 'Passwords' in tomcat can be
>managed by a whole host of authentication schemes. I use SSL to protect
>access to the password on the net and MD5 encoded passwords in a
>database for user authentication and access control. It depends entirely
>upon how you configure your system.
>
>Regards
>
>Alan
>
>
>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>!DSPAM:4784031b130881839419991!
>>
>>
>>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why use a Web Server over Tomcat?
Posted by David Smith <dn...@cornell.edu>.
In my CISSP training, we covered the possiblity of putting a web server
in between two firewalls. The outer one cleans the course junk out of
the data stream like denial of service attacks, web server compromise
attackes, malformed packets, as well as closing down server services
that should be available to the company, but not the public. The inner
one is more fine grained possibly protecting company data assets from
disclosure or blocking unapproved websites from being accessed by employees.
Just trying to say there is a business case for two firewalls -- it has
more to do with protecting company assets than protecting the web server.
--David
Bárbara Vieira wrote:
>Alan and Johnny,
>I agree with Alan. I'm using the same scheme to save passwords in database,
>and SSL too.
>But, Johnny's answer help me understand some things.
>Johnny, when you say:
>
>
>>So in those organization Tomcat is probably behind the second internal
>>
>>
>firewall
>
>
>>for staff to use as well.
>>
>>
>What do you mean? If you have a Tomcat inside a DMZ, usually we have one
>firewall, that separates internet from intranet, i.e., the firewall filters
>requests that comes from de outside. Isn't that?
>
>Thanks,
>Regards,
>Bárbara Vieira
>
>
>-----Original Message-----
>From: Alan Chaney [mailto:alan@compulsivecreative.com]
>Sent: quarta-feira, 9 de Janeiro de 2008 14:10
>To: Tomcat Users List
>Subject: Re: Why use a Web Server over Tomcat?
>
>
>
>
>>One reason for doing this, is again not whether IIS or APACHE is better
>>although APACHE on linux in the
>>hands of a guru is very good, its because Tomcat carries clear text
>>passwords, so if a hacker did
>>get at the machine, they would probably see the Active X LDAP master
>>password,
>>
>>
>
>I don't understand this comment at all. 'Passwords' in tomcat can be
>managed by a whole host of authentication schemes. I use SSL to protect
>access to the password on the net and MD5 encoded passwords in a
>database for user authentication and access control. It depends entirely
>upon how you configure your system.
>
>Regards
>
>Alan
>
>
>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>!DSPAM:4784031b130881839419991!
>>
>>
>>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why use a Web Server over Tomcat?
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
---------------------------------------------------------------------------
HARBOR: http://coolharbor.100free.com/index.htm
The best application server on earth
---------------------------------------------------------------------------
----- Original Message -----
From: "Johnny Kewl" <jo...@kewlstuff.co.za>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Thursday, January 10, 2008 10:27 PM
Subject: Re: Why use a Web Server over Tomcat?
> Hi Barbara,
>
> Sorry still on holiday, not reading email every day...
>
> Read this articlae by one of the tomcat gurus... nice and academic, has
> calcs on load factors etc...
http://people.apache.org/~mturk/docs/article/ftwai.html
> That "Secure generic configuration"... is how I was thinking but a bank
> will genearlly be even more paranoid.
> Like for example a bank IT reads about something like exploiting buffer
> overflows in IIS, or some other creative hack that gets the hacker into
> the network and they will probably go for something like this...
>
> http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci906407,00.html
>
> See dual firewalls...
>
> put them together and you probably have what bankers would consider good
> protection..
>
> ie even if the hacker hacked a machine in the DMZ and got onto the
> network... Tomcat the machine with sensitive access to other services...
> is still behind another firewall.
>
> Smaller organizations would typically just have a router firewall, and a
> server behind it... if that server is a linux box setup correctly... it
> also becomes a quasi firewall... possibly with dual network connections,
> and Tomcat, or Apache running.... and linux guys would probably consider
> that very secure as well.
>
> Linux is a little grey, because it literally can become anything.... but
> in concept, something like the above is happening....
>
> Google there is tons of info.... and various levels of paranoa ;)
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why use a Web Server over Tomcat?
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
Hi Barbara,
Sorry still on holiday, not reading email every day...
Read this articlae by one of the tomcat gurus... nice and academic, has
calcs on load factors etc...
That "Secure generic configuration"... is how I was thinking but a bank will
genearlly be even more paranoid.
Like for example a bank IT reads about something like exploiting buffer
overflows in IIS, or some other creative hack that gets the hacker into the
network and they will probably go for something like this...
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci906407,00.html
See dual firewalls...
put them together and you probably have what bankers would consider good
protection..
ie even if the hacker hacked a machine in the DMZ and got onto the
network... Tomcat the machine with sensitive access to other services... is
still behind another firewall.
Smaller organizations would typically just have a router firewall, and a
server behind it... if that server is a linux box setup correctly... it also
becomes a quasi firewall... possibly with dual network connections, and
Tomcat, or Apache running.... and linux guys would probably consider that
very secure as well.
Linux is a little grey, because it literally can become anything.... but in
concept, something like the above is happening....
Google there is tons of info.... and various levels of paranoa ;)
---------------------------------------------------------------------------
HARBOR: http://coolharbor.100free.com/index.htm
The best application server on earth
---------------------------------------------------------------------------
----- Original Message -----
From: "Bárbara Vieira" <ba...@di.uminho.pt>
To: "'Tomcat Users List'" <us...@tomcat.apache.org>;
<al...@compulsivecreative.com>
Sent: Wednesday, January 09, 2008 6:30 PM
Subject: RE: Why use a Web Server over Tomcat?
Alan and Johnny,
I agree with Alan. I'm using the same scheme to save passwords in database,
and SSL too.
But, Johnny's answer help me understand some things.
Johnny, when you say:
> So in those organization Tomcat is probably behind the second internal
firewall
> for staff to use as well.
What do you mean? If you have a Tomcat inside a DMZ, usually we have one
firewall, that separates internet from intranet, i.e., the firewall filters
requests that comes from de outside. Isn't that?
Thanks,
Regards,
Bárbara Vieira
-----Original Message-----
From: Alan Chaney [mailto:alan@compulsivecreative.com]
Sent: quarta-feira, 9 de Janeiro de 2008 14:10
To: Tomcat Users List
Subject: Re: Why use a Web Server over Tomcat?
>
> One reason for doing this, is again not whether IIS or APACHE is better
> although APACHE on linux in the
> hands of a guru is very good, its because Tomcat carries clear text
> passwords, so if a hacker did
> get at the machine, they would probably see the Active X LDAP master
> password,
I don't understand this comment at all. 'Passwords' in tomcat can be
managed by a whole host of authentication schemes. I use SSL to protect
access to the password on the net and MD5 encoded passwords in a
database for user authentication and access control. It depends entirely
upon how you configure your system.
Regards
Alan
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> !DSPAM:4784031b130881839419991!
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Why use a Web Server over Tomcat?
Posted by Bárbara Vieira <ba...@di.uminho.pt>.
Alan and Johnny,
I agree with Alan. I'm using the same scheme to save passwords in database,
and SSL too.
But, Johnny's answer help me understand some things.
Johnny, when you say:
> So in those organization Tomcat is probably behind the second internal
firewall
> for staff to use as well.
What do you mean? If you have a Tomcat inside a DMZ, usually we have one
firewall, that separates internet from intranet, i.e., the firewall filters
requests that comes from de outside. Isn't that?
Thanks,
Regards,
Bárbara Vieira
-----Original Message-----
From: Alan Chaney [mailto:alan@compulsivecreative.com]
Sent: quarta-feira, 9 de Janeiro de 2008 14:10
To: Tomcat Users List
Subject: Re: Why use a Web Server over Tomcat?
>
> One reason for doing this, is again not whether IIS or APACHE is better
> although APACHE on linux in the
> hands of a guru is very good, its because Tomcat carries clear text
> passwords, so if a hacker did
> get at the machine, they would probably see the Active X LDAP master
> password,
I don't understand this comment at all. 'Passwords' in tomcat can be
managed by a whole host of authentication schemes. I use SSL to protect
access to the password on the net and MD5 encoded passwords in a
database for user authentication and access control. It depends entirely
upon how you configure your system.
Regards
Alan
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> !DSPAM:4784031b130881839419991!
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Why use a Web Server over Tomcat?
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Martin Gainty [mailto:mgainty@hotmail.com]
> Subject: Re: Why use a Web Server over Tomcat?
>
> Apache is considerably lighter on its feet to serve static
> pages and images quicker than TC
While that was true several years ago, the current versions of Tomcat
achieve virtually identical performance when delivering static content.
Adding the overhead of another comm node for every request will hurt
performance, not enhance it. Others have presented valid reasons for
using httpd, but performance isn't one of them.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why use a Web Server over Tomcat?
Posted by Martin Gainty <mg...@hotmail.com>.
Apache is considerably lighter on its feet to serve static pages and images
quicker than TC
Apache's HTTP server resource management algorithm revolves around Prefork
MPM
OK if you have 1-10 processes..considerably more problematic when Apache
attempting to manage >100 concurrent processes
Tomcat's superior multi-threading can manage multiple resources much more
effectively..
Anyone else?
M--
----- Original Message -----
From: "Alan Chaney" <al...@compulsivecreative.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Wednesday, January 09, 2008 9:09 AM
Subject: Re: Why use a Web Server over Tomcat?
>
> >
> > One reason for doing this, is again not whether IIS or APACHE is better
> > although APACHE on linux in the
> > hands of a guru is very good, its because Tomcat carries clear text
> > passwords, so if a hacker did
> > get at the machine, they would probably see the Active X LDAP master
> > password,
>
> I don't understand this comment at all. 'Passwords' in tomcat can be
> managed by a whole host of authentication schemes. I use SSL to protect
> access to the password on the net and MD5 encoded passwords in a
> database for user authentication and access control. It depends entirely
> upon how you configure your system.
>
> Regards
>
> Alan
>
> >
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> >
> > !DSPAM:4784031b130881839419991!
> >
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why use a Web Server over Tomcat?
Posted by Alan Chaney <al...@compulsivecreative.com>.
>
> One reason for doing this, is again not whether IIS or APACHE is better
> although APACHE on linux in the
> hands of a guru is very good, its because Tomcat carries clear text
> passwords, so if a hacker did
> get at the machine, they would probably see the Active X LDAP master
> password,
I don't understand this comment at all. 'Passwords' in tomcat can be
managed by a whole host of authentication schemes. I use SSL to protect
access to the password on the net and MD5 encoded passwords in a
database for user authentication and access control. It depends entirely
upon how you configure your system.
Regards
Alan
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> !DSPAM:4784031b130881839419991!
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why use a Web Server over Tomcat?
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
---------------------------------------------------------------------------
HARBOR: http://coolharbor.100free.com/index.htm
The best application server on earth
---------------------------------------------------------------------------
----- Original Message -----
From: "Bárbara Vieira" <ba...@di.uminho.pt>
To: "'Tomcat Users List'" <us...@tomcat.apache.org>
Sent: Tuesday, January 08, 2008 1:13 PM
Subject: Why use a Web Server over Tomcat?
Hi there!
I'm making a research about internet banking and e-commerce good practices
to design a secure system.
I have an application based on servlets running in a Tomcat Server. My
application provides secure authentication based in both methods: SSL mutual
authentication and form authentication(supplied by Tomcat). All the data
that is sent over the network are encrypted(SSL).
In my research I discovered that some systems banks that using applications
based on servlets( or something based on servlets, like JSP and other
things), are using a Web Server like ISS, over a Servlet Container( like Sun
Web Server, or possibly Tomcat Server). Why that's happen? Why we have a Web
Server over another Web Server, if the low-level Web Server is capable to do
everything alone?
In my application, client authentication and authorization is controlled by
Tomcat Server. Should use I a Apache Server over Tomcat or an IIS server
over Tomcat? What kind of security am I providing doing this?
==============================================
I dont think in the context of your question it really matters.
I think what you seeing is a DMZ
http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
The web server lives in the DMZ and it provides good security, read up on
the idea of DMZ.
After that its just a matter of preference, the Admin guys probably know MS
stuff and not linux, so
they have opted for IIS.
So in those organization Tomcat is probably behind the second internal fire
wall for staff to use as well.
It probably still runs on port 8080 and thus a hacker has to break in
through 2 firewalls to get at TC.
One reason for doing this, is again not whether IIS or APACHE is better
although APACHE on linux in the
hands of a guru is very good, its because Tomcat carries clear text
passwords, so if a hacker did
get at the machine, they would probably see the Active X LDAP master
password, as well as those for
sensitive dB's.... they protecting the "machine", not the web pages via
SSL.... I think ;)
==============================================
My research is in the beginning and the documentation about it is vague, so
I apologize if I'm saying something wrong.
Regards,
Bárbara Vieira
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why use a Web Server over Tomcat?
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
On Tue, Jan 08, 2008 at 03:17:38PM +0100, Mikolaj Rydzewski wrote:
> There's no simple answer. Running apache in front of tomcat has advantages:
>
> * load balancing / failover
> * static content handling (I know, tomcat behaves better and better,
> but some people want to have apache handle this)
> * easy integration of webapps from remote hosts
> * probably more...
* no need to fiddle with the weird Java-only truststore library files
when providing certificates
* no need to discover the specific incantation for your system that
will allow Tomcat to open low-numbered ports (80, 443) and yet run
as a nonprivileged user (not an issue on Windows, which lacks the
notion of "privileged" ports)
* easily throw up an informative page ("service will resume by nn:nn")
when taking services down for maintenance, instead of returning
port-not-reachable
* many many well-tested specialty modules for Apache HTTPD should you
need to do something out of the ordinary
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
Re: Why use a Web Server over Tomcat?
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
Bárbara Vieira wrote:
> I understand your perspective. But, my question is about security. Why
> systems banks use an IIS Server instead of an Apache Server over a Tomcat
> Server(or some servlet container), if that systems authenticate the client
> using servlets technology or some technology supplied by some servlet
> container like Tomcat?
>
> I understand the fact that systems uses a Web Server over another to serve
> static content. But if in my application all content is closed, i.e., every
> client that wants to accede to that content must be authenticated and that
> authentication is controlled by Tomcat. Should I have some Web Server over
> Tomcat? I think that if I have an Apache Server over Tomcat, it causes an
> overhead, because all requests sent to Apache, must be sent to Tomcat.
>
There's no simple answer. Running apache in front of tomcat has advantages:
* load balancing / failover
* static content handling (I know, tomcat behaves better and better,
but some people want to have apache handle this)
* easy integration of webapps from remote hosts
* probably more...
Easy integration of webapps from remote hosts: it's trivial (thanks to
mod_jk or mod_proxy_ajp) to have one apache based virtual host with
several remote apps /app1 /app2 /app3 /app4 running on different tomcat
servers instead of one giantic tomcat server running all of them in one JVM.
--
Mikolaj Rydzewski <mi...@ceti.pl>
Re: Why use a Web Server over Tomcat?
Posted by Kristian Rink <kr...@zimmer428.net>.
Bárbara,
Am Tue, 8 Jan 2008 13:53:11 -0000
schrieb Bárbara Vieira <ba...@di.uminho.pt>:
> I understand your perspective. But, my question is about security. Why
> systems banks use an IIS Server instead of an Apache Server over a
> Tomcat Server(or some servlet container)
[...]
For what I have seen about online banking systems around here, some of
them do use an IIS to do their web hosting (eventually by making use of
some internal CMS to actually include/edit content) but the actual
banking solution they do use is a J(2)EE application in some app
server. In such a scenario, they are required to somehow create an
"integrated" environment (with a behaviour seamless to the user), to
somehow "linking", say, IIS and the J(2)EE app server / servlet
container.
> I understand the fact that systems uses a Web Server over another to
> serve static content. But if in my application all content is closed,
> i.e., every client that wants to accede to that content must be
> authenticated and that authentication is controlled by Tomcat.
There's more to security than just authentication. In our environment,
the tomcat installations are on production servers in our LAN
fully accessible to our internal users desktop clients (including some
more services for document / file access), and "external" access (from
the "outside" internet) is done via an apache2 reverse proxy living in
a DMZ segment. This way, I can keep people from directly accessing my
productive systems, which is helpful to say the very least. ;)
Cheers,
Kristian
--
Kristian Rink * http://zimmer428.net * http://flickr.com/photos/z428/
jab: kawazu@jabber.ccc.de * icq: 48874445 * fon: ++49 176 2447 2771
"One dreaming alone, it will be only a dream; many dreaming together
is the beginning of a new reality." (Hundertwasser)
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Why use a Web Server over Tomcat?
Posted by Bárbara Vieira <ba...@di.uminho.pt>.
Diego and Kristian,
I understand your perspective. But, my question is about security. Why
systems banks use an IIS Server instead of an Apache Server over a Tomcat
Server(or some servlet container), if that systems authenticate the client
using servlets technology or some technology supplied by some servlet
container like Tomcat?
I understand the fact that systems uses a Web Server over another to serve
static content. But if in my application all content is closed, i.e., every
client that wants to accede to that content must be authenticated and that
authentication is controlled by Tomcat. Should I have some Web Server over
Tomcat? I think that if I have an Apache Server over Tomcat, it causes an
overhead, because all requests sent to Apache, must be sent to Tomcat.
Regards,
Bárbara Vieira
-----Original Message-----
From: Diego [mailto:diegoy@gmail.com]
Sent: terça-feira, 8 de Janeiro de 2008 12:06
To: Tomcat Users List
Subject: Re: Why use a Web Server over Tomcat?
Review the list archives for the disproof of this myth. Tomcat 5.0 and
above are quite capable of serving static content, efficiently enough that
you'll saturate your network connection long before you saturate disk,
memory or CPU.
So unless you have one of the situations like those described by Kristian.
Like having other technologies like PHP you don't have to make load balance
with Apache 2.
Its way better to make a load balance with several Tomcats since you can
make a load balance of your dynamic content too.
On Jan 8, 2008 9:56 AM, Peter Crowther <Pe...@melandra.com> wrote:
> > From: Kristian Rink [mailto:kristian@zimmer428.net]
> > Asides this, while tomcat and "friends" (servlet containers) are made
> > to serve up, well, J2EE web tier applications, web servers like
> > apache2, lighttpd, ... are usually better at serving "static" content
> > (images, static css files, html documents that don't contain any
> > logic, ...).
>
> Review the list archives for the disproof of this myth. Tomcat 5.0 and
> above are quite capable of serving static content, efficiently enough that
> you'll saturate your network connection long before you saturate disk,
> memory or CPU.
>
> - Peter
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Diego
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why use a Web Server over Tomcat?
Posted by Diego <di...@gmail.com>.
Review the list archives for the disproof of this myth. Tomcat 5.0 and
above are quite capable of serving static content, efficiently enough that
you'll saturate your network connection long before you saturate disk,
memory or CPU.
So unless you have one of the situations like those described by Kristian.
Like having other technologies like PHP you don't have to make load balance
with Apache 2.
Its way better to make a load balance with several Tomcats since you can
make a load balance of your dynamic content too.
On Jan 8, 2008 9:56 AM, Peter Crowther <Pe...@melandra.com> wrote:
> > From: Kristian Rink [mailto:kristian@zimmer428.net]
> > Asides this, while tomcat and "friends" (servlet containers) are made
> > to serve up, well, J2EE web tier applications, web servers like
> > apache2, lighttpd, ... are usually better at serving "static" content
> > (images, static css files, html documents that don't contain any
> > logic, ...).
>
> Review the list archives for the disproof of this myth. Tomcat 5.0 and
> above are quite capable of serving static content, efficiently enough that
> you'll saturate your network connection long before you saturate disk,
> memory or CPU.
>
> - Peter
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Diego
RE: Why use a Web Server over Tomcat?
Posted by Peter Crowther <Pe...@melandra.com>.
> From: Kristian Rink [mailto:kristian@zimmer428.net]
> Asides this, while tomcat and "friends" (servlet containers) are made
> to serve up, well, J2EE web tier applications, web servers like
> apache2, lighttpd, ... are usually better at serving "static" content
> (images, static css files, html documents that don't contain any
> logic, ...).
Review the list archives for the disproof of this myth. Tomcat 5.0 and above are quite capable of serving static content, efficiently enough that you'll saturate your network connection long before you saturate disk, memory or CPU.
- Peter
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why use a Web Server over Tomcat?
Posted by Kristian Rink <kr...@zimmer428.net>.
Bárbara,
Am Tue, 8 Jan 2008 11:13:34 -0000
schrieb Bárbara Vieira <ba...@di.uminho.pt>:
[...]
> Why thats happen? Why we have a Web Server over another Web Server,
> if the low-level Web Server is capable to do everything alone?
To give you an example: We do use a set of tomcat machines (four nodes,
currently) to carry our "enterprise" application, having an apache web
server in front of those to do load balancing / failover clustering.
Asides this, while tomcat and "friends" (servlet containers) are made
to serve up, well, J2EE web tier applications, web servers like
apache2, lighttpd, ... are usually better at serving "static" content
(images, static css files, html documents that don't contain any
logic, ...). And, to add another point: Maybe your choice of technology
is not limited to J(2)EE but also does include PHP, Python, Perl (be
that in applications of your own and/or in some content management
system to serve your company web site), this is what you usually want
to have a "non-J2EE" web server for. :)
Cheers,
Kristian
--
Kristian Rink * http://zimmer428.net * http://flickr.com/photos/z428/
jab: kawazu@jabber.ccc.de * icq: 48874445 * fon: ++49 176 2447 2771
"One dreaming alone, it will be only a dream; many dreaming together
is the beginning of a new reality." (Hundertwasser)
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org