Sorry about that John. I must have missed your reply. I'm still figuring out how to effectively use the mailing lists. I wanted to direct the message to you, but I thought it would be useful to others so I wanted to post it here rather than sending it only to you.
Nathan ----- Original Message ----- From: "John Turner" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Friday, August 08, 2003 9:35 AM Subject: Re: Can I get an answer please -- Re: Why integrate Tomcat with a web server? > > I did, last week. > > In any case, if you have something to ask me directly, you can send me a > message off-list. > > John > > Nathan Ward wrote: > > > Hello John, > > > > I hate to be pushy, but are you going to post a reply to this question at some point? > > > > Nathan > > ----- Original Message ----- > > From: Nathan Ward > > To: [EMAIL PROTECTED] ; Tomcat Users List > > Sent: Monday, August 04, 2003 11:05 AM > > Subject: Why integrate Tomcat with a web server? > > > > > > I have a question for John Turner about a statement in the book Apache Tomcat Security. > > > > Page 12 says: > > "As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet." > > > > Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows? > > > > Nathan > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]