tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Securing Tomcat Article for Review
Date Tue, 09 Jan 2007 19:58:56 GMT
Hash: SHA1


Darren wrote:
> I think the 'running on port 80' section needs some rewording as I'm not
> advocating that putting IIS or apache infront of your tomcat
> installation will make it any more secure.  As a sysadmin you may be
> asked to serve tomcat based pages on port 80 so it is presenting the
> options without bias towards any of them.  Perhaps I need to add some
> bias, from a security perspective, to prevent misunderstanding ...

Perhaps you should have a section on "related questions". You could
include a discussion of the reasons why Tomcat cannot bind to port 80 on
many operating systems, and what options are available. It is good for
admins to understand that it's not the fault of Tomcat or Java; it's the
OS's restriction on user rights. Apache httpd has the exact same
restrictions, although it comes with the capability to startup as root
and then drop privileges. I don't believe the same is true for Tomcat.

If security concerns are something to be raised for a particular option
(for instance, use of some well-known bad version of a web server), then
you should definitely point those out.

One thing that you should mention is that running Tomcat (or any other
service for that matter) as root is probably not the best answer.
Encourage your readers to consider other options such as jsvc, Apache,
IIS or whatever.

- -chris

Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message