---------------------------------------------------------------------------
HARBOR: http://coolharbor.100free.com/index.htm
The best application server on earth
---------------------------------------------------------------------------
----- Original Message -----
From: "Bárbara Vieira" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <users@tomcat.apache.org>
Sent: Tuesday, January 08, 2008 1:13 PM
Subject: Why use a Web Server over Tomcat?
Hi there!
I'm making a research about internet banking and e-commerce good practices
to design a secure system.
I have an application based on servlets running in a Tomcat Server. My
application provides secure authentication based in both methods: SSL mutual
authentication and form authentication(supplied by Tomcat). All the data
that is sent over the network are encrypted(SSL).
In my research I discovered that some systems banks that using applications
based on servlets( or something based on servlets, like JSP and other
things), are using a Web Server like ISS, over a Servlet Container( like Sun
Web Server, or possibly Tomcat Server). Why that's happen? Why we have a Web
Server over another Web Server, if the low-level Web Server is capable to do
everything alone?
In my application, client authentication and authorization is controlled by
Tomcat Server. Should use I a Apache Server over Tomcat or an IIS server
over Tomcat? What kind of security am I providing doing this?
==============================================
I dont think in the context of your question it really matters.
I think what you seeing is a DMZ
http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
The web server lives in the DMZ and it provides good security, read up on
the idea of DMZ.
After that its just a matter of preference, the Admin guys probably know MS
stuff and not linux, so
they have opted for IIS.
So in those organization Tomcat is probably behind the second internal fire
wall for staff to use as well.
It probably still runs on port 8080 and thus a hacker has to break in
through 2 firewalls to get at TC.
One reason for doing this, is again not whether IIS or APACHE is better
although APACHE on linux in the
hands of a guru is very good, its because Tomcat carries clear text
passwords, so if a hacker did
get at the machine, they would probably see the Active X LDAP master
password, as well as those for
sensitive dB's.... they protecting the "machine", not the web pages via
SSL.... I think ;)
==============================================
My research is in the beginning and the documentation about it is vague, so
I apologize if I'm saying something wrong.
Regards,
Bárbara Vieira
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]