I've just finished reading the Tomcat Security chapter of O'Reilly's Tomcat, The Definitive Guide that covers Tomcat 4 and have been left with many questions.
First, a little background: I've setup a new web server on FC8 x86_64 running Sun Java 1.6.0_05 and tomcat 5.5.26. I'm very familiar with Tomcat on Windows (developed and deployed there for many years), and am now moving to Linux for various reasons. I have some experience on Linux and am looking to improve. The server is in my company's data center and only ports 80 and 443 are visible to the outside. The local Linux guru is out this week and next, so I thought I'd at least start. Because this will be a web server, Tomcat will need to listen on ports 80 and 443. In order to do so, as I understand it, Tomcat needs to be run as root - something with which I'm not very comfortable. So the main question is: How do I get Tomcat to listen on 80 and 443 without running as root? I thought of running Tomcat in a chroot jail, but that won't completely work, as it still needs to run as root for listening on these privileged ports. I've also thought about setting up port forwarding from 80 and 443 to, say, 8180 and 8543. I guess I'm looking for some advice/pointers/references for the "best" way to secure tomcat. Any suggestions? Thanks, in advance. Gord --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]