tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Schönhaber <>
Subject Re: Securing Tomcat Article for Review
Date Wed, 10 Jan 2007 00:17:48 GMT
Christopher Schultz wrote:

> Markus Schönhaber wrote:
> > You defend it yourself in the next paragraph you've written.
> >
> >> One could argue that more moving parts equals more complexity, and that
> >> complexity is an enemy of security (and I agree). However, there must be
> >> a balance. If good security requires layers, and each layer adds more
> >> complexity, then there is a paradox.
> >
> > Exactly.
> I believe I raised a question, rather than defending a point.

Hm. In this case, I obviously missed your point - and I didn't understand your 
question either.

> I'm 
> suggesting that things are more complicated than the sound bites that
> some people like to drop.
> I would appreciate my FUD to come with a side order of empirical
> evidence. For instance, if Leon had said "I've had bad security
> experiences with Apache httpd", well, then at least he would have
> actually been making a statement.

OK, we can agree on that.
I also consider absolute statements like "Don't install httpd! It will always 
breach the system's security!" as useless as statements like "You know 
nothing about httpd? Pah! Just go ahead and install it. There's absolutely 
nothing to worry about."

> I would just urge posters to the list to post something more than
> "product X sucks" or "". I hate having wasted my time to read a message
> that does not move the dialog forward (not that I'm saying that Leon's
> message was a waste of time). Let's all endeavor to provide proper
> context and be precise in what message we are trying to communicate.


> Leon's message says flat out that adding Apache httpd reduces security,
> and provides no basis for that statement. A more appropriate statement
> might have been that Apache does not add any appreciable measure of
> security as Tomcat provides the same kinds of protections against
> unauthorized access, etc.

True. Nevertheless, Leon has elaborated what he meant to say in his answer to 
your post (the one I'm also replying to atm). And the opinion he expresses 
there is quite similar to mine.

To repeat once again: I'm not bashing httpd, Tomcat, IIS or whatever. I'm 
simply saying: if there is a good reason to install a particular piece of 
software, go ahead, install it *and* take care of it. If you don't see this 
good reason, don't install it.
And I consider installing httpd *only* to make Tomcat accessible via port 80 
not a good reason. I consider this plain dumb.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message