Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 81282 invoked from network); 26 Jul 2007 07:53:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 26 Jul 2007 07:53:08 -0000 Received: (qmail 24729 invoked by uid 500); 26 Jul 2007 07:52:55 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 24569 invoked by uid 500); 26 Jul 2007 07:52:55 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 24558 invoked by uid 99); 26 Jul 2007 07:52:54 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Jul 2007 00:52:54 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of p.stavrinides@albourne.com designates 83.244.142.182 as permitted sender) Received: from [83.244.142.182] (HELO ankole.albourne.com) (83.244.142.182) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Jul 2007 00:52:52 -0700 Received: from mailhost.albourne.com (angeln.intern.albourne.com [192.168.160.21]) by ankole.albourne.com (8.13.3/8.13.3) with ESMTP id l6Q7qUUV007287 for ; Thu, 26 Jul 2007 07:52:30 GMT Received: from localhost ([127.0.0.1]) by mailhost.albourne.com for users@tomcat.apache.org; Thu, 26 Jul 2007 08:52:28 +0100 Message-ID: <46A85265.7020409@albourne.com> Date: Thu, 26 Jul 2007 10:51:01 +0300 From: Peter Stavrinides User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: Tomcat Users List Subject: Tomcat 5 and 6 Security advise Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Hi all, I need some advice with regards to Tomcat security, my company is not convinced about Tomcat's security, I work for a financial institution so you might understand their paranoia. My question is how best to secure a Java servlet that runs on Tomcat. Requests are routed through front end servers running Apache on separate physical machines. Should I configure in addition an Apache server locally or is Tomcat okay without it, my feeling is that this is not necessary. Tomcat uses a JDBC realm to connect to a database for authentication, we use SSL and the machines are pretty well locked down. Is there anything else that should be considered? Does Apache offer something extra so that Tomcat should run with its own Apache web server bearing in mind we use only Java. Thanks for your help, Peter --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org