On Thu, 27 Mar 2003, Tiago Ferraz Machado wrote:
> Date: Thu, 27 Mar 2003 15:10:54 -0300 > From: Tiago Ferraz Machado <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Apache vs. Tomcat > > Hi, > > I know that, for a more secure enviroment, we should use Apache > integrated with Tomcat. What I need is some kind of paper or web page > explaining that. > > Does anyone know something like it ?? > I do not buy the underlying assumption that this is necessary strictly for a "more secure environment". It is quite feasible to set up a secure Tomcat standalone environment (and, in fact, one could argue that this is likely to be more secure because it's not written in C, and therefore not vulnerable to the typical buffer overflow type attacks). The most important security-related thing about Tomcat standalone is if you need your app to run on a privileged port (<1024). Right now, that would mean having to run Tomcat as the root user, which is a very bad thing, or you can set up some sort of port forwarding. Note that I am *not* saying Apache is insecure -- it's not. But you should not make the assumption that Tomcat standalone is any *less* secure without some sort of proof, and the reported security vulnerabilities against the two (over the last few years) would lead you to the opposite conclusion. > Thanks, > > Tiago. > Craig --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
