Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 91951 invoked from network); 9 Jan 2007 19:57:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 9 Jan 2007 19:57:34 -0000 Received: (qmail 34591 invoked by uid 500); 9 Jan 2007 19:57:29 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 34570 invoked by uid 500); 9 Jan 2007 19:57:29 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 34559 invoked by uid 99); 9 Jan 2007 19:57:29 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jan 2007 11:57:29 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [63.240.77.85] (HELO sccrmhc15.comcast.net) (63.240.77.85) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jan 2007 11:57:18 -0800 Received: from [192.168.1.47] (c-69-143-26-154.hsd1.va.comcast.net[69.143.26.154]) by comcast.net (sccrmhc15) with ESMTP id <20070109195657015004t0gme>; Tue, 9 Jan 2007 19:56:57 +0000 Message-ID: <45A3F400.9070501@christopherschultz.net> Date: Tue, 09 Jan 2007 14:58:56 -0500 From: Christopher Schultz User-Agent: Thunderbird 2.0b1 (Windows/20061206) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Securing Tomcat Article for Review References: <327858f40701090340l2a4e205ax3bc53c82c62fdf93@mail.gmail.com> <99993C13-6917-4FAE-A75B-36ACE3358A3E@googlemail.com> In-Reply-To: <99993C13-6917-4FAE-A75B-36ACE3358A3E@googlemail.com> X-Enigmail-Version: 0.94.1.2.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Darren, Darren wrote: > I think the 'running on port 80' section needs some rewording as I'm not > advocating that putting IIS or apache infront of your tomcat > installation will make it any more secure. As a sysadmin you may be > asked to serve tomcat based pages on port 80 so it is presenting the > options without bias towards any of them. Perhaps I need to add some > bias, from a security perspective, to prevent misunderstanding ... Perhaps you should have a section on "related questions". You could include a discussion of the reasons why Tomcat cannot bind to port 80 on many operating systems, and what options are available. It is good for admins to understand that it's not the fault of Tomcat or Java; it's the OS's restriction on user rights. Apache httpd has the exact same restrictions, although it comes with the capability to startup as root and then drop privileges. I don't believe the same is true for Tomcat. If security concerns are something to be raised for a particular option (for instance, use of some well-known bad version of a web server), then you should definitely point those out. One thing that you should mention is that running Tomcat (or any other service for that matter) as root is probably not the best answer. Encourage your readers to consider other options such as jsvc, Apache, IIS or whatever. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFo/P/9CaO5/Lv0PARAo+8AKC2Q7fUU1FWSABZn3FE3ITx/yrurwCgnDXj PiVW+DMYQNWBj3re0VOzk8M= =s9Kj -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org