tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leon Rosenberg" <rosenberg.l...@googlemail.com>
Subject Re: Securing Tomcat Article for Review
Date Tue, 09 Jan 2007 21:04:36 GMT
On 1/9/07, Christopher Schultz <chris@christopherschultz.net> wrote:

> Leon's message says flat out that adding Apache httpd reduces security,
> and provides no basis for that statement. A more appropriate statement
> might have been that Apache does not add any appreciable measure of
> security as Tomcat provides the same kinds of protections against
> unauthorized access, etc.

Allow to explain this. As other posters already explained puting a
httpd in front of tomcat doesn't increase security. The only way it
could increase it, would be if it could handle known security issues
and protects the tomcat from the usage of such exploits. Personally I
don't know of any, and even I did, I would doubt that putting httpd in
front would be the best solution, or that httpd can protect something
better than a firewall, which is actually desinged to protect. Httpd
is not.
Can we agree that httpd doesn't increase security now?

Now, moving on, if httpd doesn't increase security, it has a) zero
impact or b) decreases it.

As for option a) (despite I don't believe it) even if it would have
zero effect, there is always a possibility for human factor
(mistakenly released configs or something). So even with the option a)
the solely presence of httpd wouldn't reduce security, it's presence
would give more opportunity for the human to fail, and therefor reduce
security indirectly.

As for option b): httpd is a lot of code. Any contains bugs. So
chances are good that httpd will add own bugs to the existing tomcat
bugs without hiding some of them. So the overall bug count will
increase therefor increasing the number of possbile security-relevant
bugs. Therefore decreased security.

q.e.d :-)

However, puting a firewall in front of any webserver to protect it the
host and the server from attacks he can't deal with, seems a very good
idea to me :-)

best regards
Leon

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message