Return-Path: 
 <tomcat-user-return-82514-apmail-jakarta-tomcat-user-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-user-archive@www.apache.org
Received: (qmail 97391 invoked from network); 3 Nov 2003 16:48:05 -0000
Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 3 Nov 2003 16:48:05 -0000
Received: (qmail 13901 invoked by uid 500); 3 Nov 2003 16:47:39 -0000
Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org
Received: (qmail 13875 invoked by uid 500); 3 Nov 2003 16:47:39 -0000
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-user-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-user-help@jakarta.apache.org>
List-Post: <mailto:tomcat-user@jakarta.apache.org>
List-Id: "Tomcat Users List" <tomcat-user.jakarta.apache.org>
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 13862 invoked from network); 3 Nov 2003 16:47:39 -0000
Received: from unknown (HELO sid.armstrong.com) (204.74.20.252)
  by daedalus.apache.org with SMTP; 3 Nov 2003 16:47:39 -0000
Received: from joedog.org (fnord.armstrong.com [204.74.20.14])
	by sid.armstrong.com (8.12.8p1/8.12.8) with ESMTP id hA3GbOC0023392
	for <tomcat-user@jakarta.apache.org>; Mon, 3 Nov 2003 11:37:24 -0500
Message-ID: <3FA686AD.7090804@joedog.org>
Date: Mon, 03 Nov 2003 11:47:41 -0500
From: Tim Funk <funkman@joedog.org>
Organization: Human being
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
 rv:1.4) Gecko/20030624
X-Accept-Language: en-us, en, es-mx, de, sv
MIME-Version: 1.0
To: Tomcat Users List <tomcat-user@jakarta.apache.org>
Subject: Re: Deploying TOMCAT on live production server
References: <Sea1-DAV34VUNfv7W120000c4c9@hotmail.com>
In-Reply-To: <Sea1-DAV34VUNfv7W120000c4c9@hotmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

It depends. One would argue that tomcat by itself is more secure because
1) Its only one thing to defend
2) Don't need to worry about any apache exploits

OTOH
1) Apache has been hardened - its exploits are rare and when exposed are 
quickly fixed. (Tomcat's eploits are also quickly fixed too)
2) Apache can act as a barrier to prevent exploits from happening in tomcat 
(or exploits written into webapps)

IOW, different strokes for different folks.

-Tim

Steve Jenkins wrote:

> Thanks to one and all for their responses, particularly for the URL:
> http://jakarta.apache.org/tomcat/faq/connectors.html#integrate
> My final question is - is deploying TOMCAT on its' own secure enough? Or is
> deploying just Apache secure enough?



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org