I agree with Leon. That said, a service account with low privileges only gives filesystem protection ; interesting data is usually stored in the database and you won't be more protected against SQL injections or even against a modified jsp stored by the hacker (like in some old STRUTS vulnerabilities). If you can't buy a real WAF, you still can configure Apache with ModSecurity or even try the LUA experimental module ( http://blog.river-tiger.com/cheapest-application-firewall ) but don't expect high performance with it.
2015-02-25 23:32 GMT+01:00 Leon Rosenberg <rosenberg.l...@gmail.com>: > Hello Jan, > > that would be better yes. For example some time ago, there were a virus > that would place a modified jsp in a webapp and try to access further data > from it. If the user, the tomcat runs under, would have limited permission, > such a malware would have less chances to actually do something harmful. > As for my personal opinion and 10++ years of experience with different > tomcat version in production environment, (attention, flame war can start > here), an apache httpd in front of tomcat does _not_ increase the security > _at_all_. > In fact I would argue that it adds its buffer overflows and bugs to the > bugs that could exists in tomcats code. > > regards > Leon > > > On Wed, Feb 25, 2015 at 11:13 PM, Jan Tosovsky <j.tosov...@email.cz> wrote: > >> Dear All, >> >> there are plenty resources mentioning it is a must to run tomcat as a >> dedicated user with limited permissions. >> >> Is it still true when tomcat doesn't run standalone, but via Apache web >> server connected via AJP? That webserver already runs in the restrictive >> mode. >> >> Thanks, Jan >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
