tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leon Rosenberg" <rosenberg.l...@googlemail.com>
Subject Re: Securing Tomcat Article for Review
Date Wed, 10 Jan 2007 11:04:52 GMT
On 1/10/07, Gregor Schneider <rc46fi@googlemail.com> wrote:
> Hi Leon,
>
> On 1/10/07, Leon Rosenberg <rosenberg.leon@googlemail.com> wrote:
> > > In *our* scenario I rather have Apache http in front because
> > >
> > > - it performs better
> >
> > What?
> > You can argue that httpd doesn't decrease security, but talking about
> > it being fast??? Come'on you're kidding :-)
> >
> Sorry, but I don't get you here: How refers speed to security? Could
> you pls explain what you mean here?

Aehm,
the original thread was about security, and now you wrote "performs"
better, which I assumed referred to "performance". If not - my fault
:-)

>
> > Could you explain this a little more? How can it be that if you write
> > out something from memory it's slower than ask the filesystem which
> > could eventually have it in cache and be comparable fast in _best_
> > case?
> >
> Simple:
> Since our static html doesn't change too often, we could reach
> significant perfomance-optimizations with optimized headers telling
> the client how to cache.
> Well, and mod_headers did a better job regarding performance than
> using plain Tomcat with a filter modifying the headers of static html.
> >
> > Or do you use DefaultServlet???
> >
> Now you must be kidding ;)

Do you hold the content of the pages in memory and stream them out
from your servlet?
Maybe I'm getting it completely wrong, but imo your servlet is a 3
liner (simplified version):
doGet(req,res){
  res.setHeader(....);
  res.getOutputStream().write(Cache.getFileContent(getFileName(req)));
  res.getOutputStream().close();
}

> >
> > Also, if you care about static performance so much, why don't you use
> > something fast? lighttpd? squid? I mean it's not a secret that apache
> > httpd is NOT fast.
> >
> I can't explain our whole web-app in detail here, just that much:
> We've developed our own SSO-procedure (since the whole wep-app
> contains protected content served over SSL to authenticated users
> only). It was just easier for us to use the combination of Apache
> httpd and Tomcat since there's quite some stuff available.
> Since now the performance meets our expectations, there's no need to
> use other web-servers like squid.
> besides, we got quite some knowledge regarding Apache here, so why
> should we dump that (a matter of cost)?

That's an argument I'm buying :-)

>
> Cheers
>
> Greg

regards
Leon

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message