Thanks for the reply David! If you startup jsvc and do "ps axu | grep jsvc", you will find two processes with one being owned by root and the other by the non-root account. The non-root process will actually handle the incoming requests, however the root process is needed to bind to port 443 since it is a privilege port.
On 10/30/08 1:55 PM, "David Smith" <[EMAIL PROTECTED]> wrote: >> >> I don't have any personal issue with moving to running Tomcat directly as >> the non-privileged account meant for Tomcat ... > > Just to clarify, jsvc runs tomcat as an unprivileged user as well. One > advantage to jsvc is it allows tomcat to be run by itself without funky > iptables rules or a front-end server. It's a simpler setup and overall > I'm a firm believer in simpler = better. > > --David > > Andrew Ralph Feller, afelle1 wrote: >> Thanks for the response Torsten! >> >> In our environment, the machines we have Tomcat running on strictly use >> Tomcat 6, APR for SSL support, and we load balance applications through an >> external load balancer. We have been able to get by without brining HTTPD >> for things like mod_rewrite or any of the PAMs, so I would like to keep it >> as simple as possible. >> >> I don't have any personal issue with moving to running Tomcat directly as >> the non-privileged account meant for Tomcat, however I am curious about the >> trade offs especially related to security. >> >> Thanks! >> >> On 10/30/08 12:37 PM, "[EMAIL PROTECTED]" >> <[EMAIL PROTECTED]> wrote: >> >> >>> Hi Andrew, >>> >>> We let all our Tomcats run on a non-privileged port and use some init script >>> using startup.sh/shutdown.sh, and have an Apache httpd forwarding requests >>> with AJP. >>> >>> We then use Apache httpd for things like terminating SSL, do RADIUS or LDAP >>> authentication, load balancing several Tomcat instances and so on. >>> >>> I think it is a good and common setup like that. >>> >>> Torsten >>> >>> -----Original Message----- >>> From: Andrew Feller [mailto:[EMAIL PROTECTED] >>> Sent: 30. oktober 2008 18:16 >>> To: users@tomcat.apache.org >>> Cc: Brad Cupit >>> Subject: JSVC vs standard startup / shutdown scripts >>> >>> QUESTION: What is the best practice for running Tomcat? JSVC daemon or >>> startup / shutdown scripts as a non-root user and forwarding HTTPS requests >>> to a non-privileged port? >>> >>> While reading the Professional Apache Tomcat 6 (ISBN: 978-0-471-75361-2), >>> they recommend running Tomcat to start it up using the startup script >>> provided in the Tomcat binary and having your firewall forward requests from >>> HTTPS to a non-privileged port. This is very interesting for two reasons: >>> >>> 1. The book never mentions JSVC, which the Tomcat documentation does >>> 2. We believed using JSVC was the only way to run as a non-root user, >>> which doesn't seem to be the case now >>> >>> I would appreciate any feedback about the trade offs and why people choose >>> one over the other. >>> >>> Thanks, >>> Andrew >>> >>> --------------------------------------------------------------------- >>> To start a new topic, e-mail: users@tomcat.apache.org >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> >> > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- Andrew R. Feller, Analyst Information Technology Services 200 Fred Frey Building Louisiana State University Baton Rouge, LA 70803 (225) 578-3737 (Office) (225) 578-6400 (Fax) --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
