tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Miehs <>
Subject Re: Securing Tomcat Article for Review
Date Tue, 09 Jan 2007 16:41:16 GMT
On 09/01/2007, at 5:20 PM, Christopher Schultz wrote:

> Leon Rosenberg wrote:
>> Also by using apache in front of tomcat you rather loose[sic]
>> security than gain it. At least this is my personal opinion :-)
> Would you care to defend that argument? Security in layers is  
> typically
> an advantage.
> One could argue that more moving parts equals more complexity, and  
> that
> complexity is an enemy of security (and I agree). However, there  
> must be
> a balance. If good security requires layers, and each layer adds more
> complexity, then there is a paradox.

With Apache HTTPD you have the advantage of being able to do fine  
url/ IP access control.

It also brings with it however all the bugs that are in Apache HTTPD.

What are your trying to protect by adding in Apache HTTPD?
   The IP Stack ? - Nope kernel issue - have this problem with both...
   Tomcats connection handling ? Nope - not protected as mod_proxy  
and mod_jk
       blindly forward all traffic towards the backend tomcat.

So unless you want protect certain paths, hiding tomcat behind an apache
will not bring any security benefits.



To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message