Re: Tomcat on port 80 or Java as root

[Aleksi Kallio <aleksi.kallio () csc fi>]

> AFAIK tomcat is a servlet container running on apache.
> well... apache webserver should never be run as "root" for various 
security
> reasons.
>

Tomcat was running on Apache years ago. Nowadays Tomcat is a standalone 
web+application server.

It is true that running Tomcat with root privileges is not a good idea, 
though Tomcat has quite a good track record in security. The problem is 
that Tomcat is 100% Java and OS-dependant stuff like changing to lesser 
than root permissions after startup is not possible. Of course you can 
run in >1024 ports, but if you want to use 80, there are at least two 
good possibilities:

- Use Apache as front end and mod_jk2/AJP for communication between 
Apache and Tomcat
- Use iptables to route traffic between 80 and the actual port Tomcat uses

The AJP-protocol could be documented a lot better and the Apache-Tomcat 
cooperation requires some extra configuring, so I would recommend the 
latter one. It has worked perfectly and takes twenty seconds to implement.