tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Miehs <and...@2sheds.de>
Subject Re: Securing Tomcat Article for Review
Date Tue, 09 Jan 2007 16:41:16 GMT
On 09/01/2007, at 5:20 PM, Christopher Schultz wrote:

> Leon Rosenberg wrote:
>> Also by using apache in front of tomcat you rather loose[sic]
>> security than gain it. At least this is my personal opinion :-)
>
> Would you care to defend that argument? Security in layers is  
> typically
> an advantage.
>
> One could argue that more moving parts equals more complexity, and  
> that
> complexity is an enemy of security (and I agree). However, there  
> must be
> a balance. If good security requires layers, and each layer adds more
> complexity, then there is a paradox.

With Apache HTTPD you have the advantage of being able to do fine  
grained
url/ IP access control.

It also brings with it however all the bugs that are in Apache HTTPD.

What are your trying to protect by adding in Apache HTTPD?
   The IP Stack ? - Nope kernel issue - have this problem with both...
   Tomcats connection handling ? Nope - not protected as mod_proxy  
and mod_jk
       blindly forward all traffic towards the backend tomcat.

So unless you want protect certain paths, hiding tomcat behind an apache
will not bring any security benefits.

Regards

Andrew




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message