tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Schönhaber <>
Subject Re: Securing Tomcat Article for Review
Date Tue, 09 Jan 2007 17:12:51 GMT
Christopher Schultz wrote:

> Leon Rosenberg wrote:
> > Also by using apache in front of tomcat you rather loose[sic]
> > security than gain it. At least this is my personal opinion :-)
> Would you care to defend that argument? 

You defend it yourself in the next paragraph you've written.

> One could argue that more moving parts equals more complexity, and that
> complexity is an enemy of security (and I agree). However, there must be
> a balance. If good security requires layers, and each layer adds more
> complexity, then there is a paradox.


> I would argue that Apache httpd is quite mature and is trustworthy.
> Sure, you're not likely to run into a buffer overflow bug in Tomcat, but
> a bad configuration can open any server to attack. Is a bad Tomcat
> configuration alone any better than a bad Tomcat configuration sitting
> behind Apache httpd?

IMO you're missing the point. If your Tomcat configuration is "bad" then what 
I would consider the right measure to be taken is change the Tomcat 
configuration so that it becomes "good". I wouldn't consider it a wise idea 
to put a httpd in front of a badly configured Tomcat and thereby hope to 
improve things.
httpd may be mature and trustworthy but whether it's "secure" largely depends 
on how skillful and careful httpd's configuration is crafted. And if someone 
isn't able to build a "good" configuration for Tomcat, I doubt that he'll be 
able to come up with really, really "good" configuration for httpd, this way 
compensating the former with the latter .

Anyway: AFAIR (can't reach atm) the Article mentions putting httpd 
in front of Tomcat as one means among others to work around the fact that on 
Unix-like systems Tomcat alone can't bind to port 80 if running under a 
restricted account.
No question, this is one possible solution. But whether or not it's the right 
solution to chose is a entirely different question.
If someone asks: "I've a server running Tomcat. Tomcat is all I need and it's 
working fine. The only thing that bugs me is: How can I make Tomcat 
accessible via port 80 without running it as root?"
In this case answering "Easy! Just install httpd, install mod_jk, configure 
httpd, configure mod_jk, configure Tomcat to accept requests via AJP and 
voilá, you're set", I would call completely brain-dead.
OTOH: in an environment where there's already an httpd installed that can't be 
replaced by Tomcat, using this httpd as a frontend to Tomcat might be exactly 
the way to go.
Maybe the article could provide some hints on how to decide which of the 
possible solutions might be the best for a given circumstance.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message