tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregor Schneider" <>
Subject Re: Securing Tomcat Article for Review
Date Wed, 10 Jan 2007 11:14:21 GMT
Hi Leon,

On 1/10/07, Leon Rosenberg <> wrote:
> Aehm,
> the original thread was about security, and now you wrote "performs"
> better, which I assumed referred to "performance". If not - my fault
> :-)
Well, we moved kinda of-topic here, sou you got me right.
What I actually wanted to say was:

- I absolutely agree to Markus who said
* don't use software if there's no need for it
* don't try to use Apache httpd to enhance Tomcat's security

However, I just wanted to emphesize that Apache/httpd / Tomcat is
quite a common real-world-scenario and due to this nobody should worry
that Apache httpd is BREAKING Tomcat's security AS LONG YOU KNOW YOUR
After that, I was asked why using Apache httpd anyways, and I tried to
explain why (because *here* it performs faster)
> >
> Do you hold the content of the pages in memory and stream them out
> from your servlet?
> Maybe I'm getting it completely wrong, but imo your servlet is a 3
> liner (simplified version):
> doGet(req,res){
>   res.setHeader(....);
>   res.getOutputStream().write(Cache.getFileContent(getFileName(req)));
>   res.getOutputStream().close();
> }
Due to the number of our html/js-files we cannot hold them completely
in memory. With the principle of the filter you're right.
We tested this version (Tomcat/HeaderFilter) against
Apache/mod_headers, and Apache simply performed faster
> That's an argument I'm buying :-)
I know, this is a Tomcat mailing-list here, and I shouted "Jehova",
but guys, believe me, sometimes it's quite enlightening taking a look
over the fence ;)


what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message