WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tomcat on port 80 or Java as root

From: Dave Ockwell-Jenner <doj () solar-nexus com>
Date: Fri, 12 Mar 2004 10:46:12 -0500
Rajkumar S wrote:


Hi,
What are the implications of running tomcat as root(ie to run tomcat on port 80) Is java secure enough to run as root, or should I run some thing like apache in front ?
How about having Tux as a front end? Is it advisable from a security point of view?
I haven't seen much in the way of a Tomcat deployment directly on port 80 and facing the outside world. It's possible, but I'm not sure the Tomcat HTTP server receives the same level of security attention as (say) the Apache HTTP server.
It's usual to see one of two configurations - either running Apache with a "connector" (such as mod_jk, mod_webapp, etc.) that connects directly to Tomcat. In more hetrogenous environments (where there are a variety of app. servers), it's quite common to see Apache configured as a reverse proxy (using mod_proxy) to proxy requests to the Tomcat app. server.
Unfortunately I don't have much data on the relative security of one approach vs. another. However, I would recommend NOT using Tomcat directly. 

--
Dave Ockwell-Jenner
Solar Nexus Solutions
http://www.solar-nexus.com/
Previous By Date Next
Previous By Thread Next

Current thread: