-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leon,
Leon Rosenberg wrote: > Also by using apache in front of tomcat you rather loose[sic] > security than gain it. At least this is my personal opinion :-) Would you care to defend that argument? Security in layers is typically an advantage. One could argue that more moving parts equals more complexity, and that complexity is an enemy of security (and I agree). However, there must be a balance. If good security requires layers, and each layer adds more complexity, then there is a paradox. I would argue that Apache httpd is quite mature and is trustworthy. Sure, you're not likely to run into a buffer overflow bug in Tomcat, but a bad configuration can open any server to attack. Is a bad Tomcat configuration alone any better than a bad Tomcat configuration sitting behind Apache httpd? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFo8C89CaO5/Lv0PARAnX2AJ0Vs2I9FE00UIjQ6jVCtgO6lvKE4ACgmZzJ nXtOo4PTAvDjtuwNwOHuNbk= =biDW -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
