Christopher Schultz wrote:

> Leon Rosenberg wrote:
> > Also by using apache in front of tomcat you rather loose[sic]
> > security than gain it. At least this is my personal opinion :-)
>
> Would you care to defend that argument?

You defend it yourself in the next paragraph you've written.

> One could argue that more moving parts equals more complexity, and that
> complexity is an enemy of security (and I agree). However, there must be
> a balance. If good security requires layers, and each layer adds more
> complexity, then there is a paradox.

Exactly.

> I would argue that Apache httpd is quite mature and is trustworthy.
> Sure, you're not likely to run into a buffer overflow bug in Tomcat, but
> a bad configuration can open any server to attack. Is a bad Tomcat
> configuration alone any better than a bad Tomcat configuration sitting
> behind Apache httpd?

IMO you're missing the point. If your Tomcat configuration is "bad" then what
I would consider the right measure to be taken is change the Tomcat
configuration so that it becomes "good". I wouldn't consider it a wise idea
to put a httpd in front of a badly configured Tomcat and thereby hope to
improve things.
httpd may be mature and trustworthy but whether it's "secure" largely depends
on how skillful and careful httpd's configuration is crafted. And if someone
isn't able to build a "good" configuration for Tomcat, I doubt that he'll be
able to come up with really, really "good" configuration for httpd, this way
compensating the former with the latter .

Anyway: AFAIR (can't reach owasp.org atm) the Article mentions putting httpd
in front of Tomcat as one means among others to work around the fact that on
Unix-like systems Tomcat alone can't bind to port 80 if running under a
restricted account.
No question, this is one possible solution. But whether or not it's the right
solution to chose is a entirely different question.
If someone asks: "I've a server running Tomcat. Tomcat is all I need and it's
working fine. The only thing that bugs me is: How can I make Tomcat
accessible via port 80 without running it as root?"
In this case answering "Easy! Just install httpd, install mod_jk, configure
httpd, configure mod_jk, configure Tomcat to accept requests via AJP and
voil??, you're set", I would call completely brain-dead.
OTOH: in an environment where there's already an httpd installed that can't be
replaced by Tomcat, using this httpd as a frontend to Tomcat might be exactly
the way to go.
Maybe the article could provide some hints on how to decide which of the
possible solutions might be the best for a given circumstance.

Regards
mks

---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)