tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Securing Tomcat Article for Review
Date Tue, 09 Jan 2007 19:58:56 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Darren,

Darren wrote:
> I think the 'running on port 80' section needs some rewording as I'm not
> advocating that putting IIS or apache infront of your tomcat
> installation will make it any more secure.  As a sysadmin you may be
> asked to serve tomcat based pages on port 80 so it is presenting the
> options without bias towards any of them.  Perhaps I need to add some
> bias, from a security perspective, to prevent misunderstanding ...

Perhaps you should have a section on "related questions". You could
include a discussion of the reasons why Tomcat cannot bind to port 80 on
many operating systems, and what options are available. It is good for
admins to understand that it's not the fault of Tomcat or Java; it's the
OS's restriction on user rights. Apache httpd has the exact same
restrictions, although it comes with the capability to startup as root
and then drop privileges. I don't believe the same is true for Tomcat.

If security concerns are something to be raised for a particular option
(for instance, use of some well-known bad version of a web server), then
you should definitely point those out.

One thing that you should mention is that running Tomcat (or any other
service for that matter) as root is probably not the best answer.
Encourage your readers to consider other options such as jsvc, Apache,
IIS or whatever.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFo/P/9CaO5/Lv0PARAo+8AKC2Q7fUU1FWSABZn3FE3ITx/yrurwCgnDXj
PiVW+DMYQNWBj3re0VOzk8M=
=s9Kj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message