tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leon Rosenberg" <>
Subject Re: Securing Tomcat Article for Review
Date Wed, 10 Jan 2007 12:24:20 GMT
On 1/10/07, Gregor Schneider <> wrote:
> Hi Leon,
> On 1/10/07, Leon Rosenberg <> wrote:
> >
> > Aehm,
> > the original thread was about security, and now you wrote "performs"
> > better, which I assumed referred to "performance". If not - my fault
> > :-)
> >
> Well, we moved kinda of-topic here, sou you got me right.

kind of :-)

> What I actually wanted to say was:
> - I absolutely agree to Markus who said
> * don't use software if there's no need for it
> * don't try to use Apache httpd to enhance Tomcat's security
> However, I just wanted to emphesize that Apache/httpd / Tomcat is
> quite a common real-world-scenario and due to this nobody should worry
> that Apache httpd is BREAKING Tomcat's security AS LONG YOU KNOW YOUR
> After that, I was asked why using Apache httpd anyways, and I tried to
> explain why (because *here* it performs faster)

Actually, on my private server I do use an apache in front of 3
webcontainers (2 of them resin, one tomcat), but I have my reasons :-)
Mainly because I wanted all three to be accessable at port 80. And
because my sysadmin knows how to configure httpd, but not tomcat, and
his rate are lower than mine are, so its effectively cheaper:-)
So I'm not saying (and wasn't saying either) that there are NO REASONS
to run apache httpd with tomcat, but if you remember how this thread
started, the author of the article and OP suggested in his article to
put an apache / iis in front of tomcat to INCREASE security, and this
was imo a false thought.
I think we both now can agree that there are millions of absolutely
valid reasons
to run a httpd-tomcat combination, but that security isn't among them :-)

> > >
> >
> > Do you hold the content of the pages in memory and stream them out
> > from your servlet?
> > Maybe I'm getting it completely wrong, but imo your servlet is a 3
> > liner (simplified version):
> > doGet(req,res){
> >   res.setHeader(....);
> >   res.getOutputStream().write(Cache.getFileContent(getFileName(req)));
> >   res.getOutputStream().close();
> > }
> >
> Due to the number of our html/js-files we cannot hold them completely
> in memory. With the principle of the filter you're right.
> We tested this version (Tomcat/HeaderFilter) against
> Apache/mod_headers, and Apache simply performed faster

hmm, haven't you said you have 300.000 files? I don't know how large
your files actually are, but assuming 100K a fairly large size you 'll
need ~30 Gb of RAM to cache them all. Now a machine with 32 Gb of RAM
is pretty cheap nowerdays, so why not cache them?

> >
> > That's an argument I'm buying :-)
> >
> I know, this is a Tomcat mailing-list here, and I shouted "Jehova",
> but guys, believe me, sometimes it's quite enlightening taking a look
> over the fence ;)
> Cheers
> greg


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message