Re: Tomcat on port 80 or Java as root

["David Wall @ Yozons, Inc." <dwall () yozons com>]

If you are running Linux (and presumably Unix too, since, you know, they are
the same according to SCO), you can run tomcat on port 8080 or another
non-root-required port (those < 1024) with a simple set of 'iptables' rules
that map port 80 to port 8080.  You can do the same for mapping something
like 443 to 8443.  This means the outside world sees the standard ports for
HTTP/HTTPS, but your process doesn't have to actually listen on those ports.
If desired, I can show some iptables rules we have to do this.

However, there are some security reasons that putting a web server in front
when the java app server is running on another piece of hardware.  This
allows you to run the http server on a box directly connected to the
Internet, and then have it forward certain requests to your java app server
that's running on a private network that's not directly accessible to the
Internet.  You can put your database there too.  The benefit is that the app
and db server are on servers that aren't directly accessible from the
Internet, making it much harder to break into (they first have to break into
your web server and then try to break into the app server on the private
network).  With firewall rules (like iptables) between the public and
private servers, that's made even harder, and of course having good
passwords is critical.

David


----- Original Message ----- 
From: "Rajkumar S" <listuser () myrealbox com>
To: <webappsec () securityfocus com>
Sent: Thursday, March 11, 2004 7:42 AM
Subject: Tomcat on port 80 or Java as root


> Hi,
>
> What are the implications of running tomcat as root(ie to run tomcat on
> port 80) Is java secure enough to run as root, or should I run some
> thing like apache in front ?
>
> How about having Tux as a front end? Is it advisable from a security
> point of view?
>
> with warm regards,
>
> raj