tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Securing Tomcat Article for Review
Date Tue, 09 Jan 2007 16:20:12 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leon,

Leon Rosenberg wrote:
> Also by using apache in front of tomcat you rather loose[sic]
> security than gain it. At least this is my personal opinion :-)

Would you care to defend that argument? Security in layers is typically
an advantage.

One could argue that more moving parts equals more complexity, and that
complexity is an enemy of security (and I agree). However, there must be
a balance. If good security requires layers, and each layer adds more
complexity, then there is a paradox.

I would argue that Apache httpd is quite mature and is trustworthy.
Sure, you're not likely to run into a buffer overflow bug in Tomcat, but
a bad configuration can open any server to attack. Is a bad Tomcat
configuration alone any better than a bad Tomcat configuration sitting
behind Apache httpd?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFo8C89CaO5/Lv0PARAnX2AJ0Vs2I9FE00UIjQ6jVCtgO6lvKE4ACgmZzJ
nXtOo4PTAvDjtuwNwOHuNbk=
=biDW
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message