True, but I don't have much static content and the Apache Tomcat Security book is not making that point. I'm trying to determine whether or not it is better to have a web server in front of Tomcat under Windows for security reasons. The book seems to say that but it clearly describe why this provides better security when running Tomcat under Windows.
Nathan ----- Original Message ----- From: "Rick Roberts" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Thursday, August 07, 2003 11:02 PM Subject: Re: Can I get an answer please -- Re: Why integrate Tomcat with a web server? > Because a web server serves static content (html, images, etc.) much faster than > tomcat will. > > Nathan Ward wrote: > > Hello John, > > > > I hate to be pushy, but are you going to post a reply to this question at some point? > > > > Nathan > > ----- Original Message ----- > > From: Nathan Ward > > To: [EMAIL PROTECTED] ; Tomcat Users List > > Sent: Monday, August 04, 2003 11:05 AM > > Subject: Why integrate Tomcat with a web server? > > > > > > I have a question for John Turner about a statement in the book Apache Tomcat Security. > > > > Page 12 says: > > "As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet." > > > > Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows? > > > > Nathan > > > > -- > ******************************************* > * Rick Roberts * > * Advanced Information Technologies, Inc. * > * http://www.ait-web.com * > ******************************************* > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]