Answered on 08/05/2003, 11:00 AM Eastern.
If you want to address me, I suggest putting something in the subject line or sending me a message off-list.
A subject line of "why integrate with a web server" is a FAQ that I would normally ignore.
John
Nathan Ward wrote:
Hello John,
I hate to be pushy, but are you going to post a reply to this question at some point?
Nathan
----- Original Message ----- From: Nathan Ward To: [EMAIL PROTECTED] ; Tomcat Users List Sent: Monday, August 04, 2003 11:05 AM
Subject: Why integrate Tomcat with a web server?
I have a question for John Turner about a statement in the book Apache Tomcat Security.
Page 12 says: "As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet."
Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows?
Nathan
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
