tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Schönhaber <>
Subject Re: Securing Tomcat Article for Review
Date Tue, 09 Jan 2007 23:35:51 GMT
Gregor Schneider wrote:

> On 1/9/07, Markus Schönhaber <> wrote:
> > Did you read the article that is subject to this thread?
> yep
> > I don't think I understand how your post relates to mine.
> My post relates to yours and to some other posts here in that sense
> that you (and others) stated that putting apache httpd in front of
> tomcat would decrease security.

Wrong. I never stated that an httpd in front of Tomcat would *always* decrease 
security. Please read again what I wrote.
Indeed, I do think that putting an httpd in front of Tomcat *without need* is 
dumb, needlessly adds al level of complexity to the system and potentially 
decreases the overall security of the system.
OTOH there a very good reasons to use a httpd-Tomcat combination. Alas, 
the "only reason" there "usually" is, as you said, I wouldn't count amongst 
the good reasons. Tomcat serves static content just fine. In combination with 
APR even finer. I've never seen it necessary to use httpd just because of 
static content. I've read this claim ("httpd is superior for static content") 
many times, but I've never seen the one making that claim also providing 
facts that back up it's truth. Of course, YMMV.
Top of *my* list of good reasons for using httpd and Tomcat together is a 
httpd that acts as load-balancer for multiple Tomcat instances.
Second comes the httpd that's already there and isn't going away. This one 
obviously is already part of the system's complexity and therefore won't add 
to it.

> that's definately not the case.

"Definitely"? Hm, again such an absolute claim of yours for which you provide 
no facts to back it up.

> when reading those posts, somebody 
> might think that putting apache in front might even break security.

And he might think right. If you're adding complexity to the system you should 
be aware that there's the need to add even more sensible care to the system. 
If you fail to do that, the overall security will very propably be lower. As 
I see it, the chain of security is just as strong as it's weakest link.
Likewise a httpd that is configured perfectly secure won't help if the Tomcat 
it handles requests to can be bugged into starting a root shell.

> since it's a real-world-scenario having apache httpd in front of
> tomcat, i'm just saying that nobody should worry about this
> combination.

My point is: one should worry about every piece of software installed. Even 
more so if it is accessible from an untrusted network. The more software, the 
more there is to worry about.

> however, to make it clear: you are right, putting apache in front TO
> IMPROVE SECURITY doesn't make sense.

OK, at least wrt this point we see things the same way.

> OTOH, i'd rather have apache in 
> front than running tomcat on port 80 via jsvc or as a service.

I'd like to repeat Chuck's question: why?


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message