Cris, On Wed, Oct 17, 2018 at 9:28 AM Berneburg, Cris J. - US <cberneb...@caci.com> wrote:
> Thanks Mark > > mt> The argument for a JRE vs a JDK is that the JDK includes > mt> a compiler. The only reason Tomcat can run on a JRE and > mt> still support JSPs (which require compilation) is that > mt> Tomcat includes a Java compiler. I don't think the > mt> security argument holds much water. > > I had not thought of that, and you're right (literally technically > speaking). > > RAMBLE: However, if I try to look at it from a point of view of a large > bureaucracy, of which I am largely ignorant, I would not be surprised if > there is a policy against dev kits and IDE's on production servers for > security sake. Tomcat (whisper: with built-in compiler) is approved, but > is the JDK allowed? Guess I can ask. Yeah, it's potentially a > "distinction without a difference". Well, unless there are other tools in > the JDK that can pose security risks in addition to the Java compiler. > As Mark pointed out Jasper compiles JSP into Java bytecode and it has been like that for years. Every other popular web technology works in a similar way, be it ASP.NET, PHP, NodeJS, etc. so I really don't think that that's an issue. There is only a security vulnerability if a bad actor can inject code, or upload malicious source code that will be compiled by your application, but again, that has been the case since the beginning so deploying over JDK doesn't change that. I'm sure that there is a way to build OpenJDK without the javac component, or at least it can be achieved with minor changes if needed. Igal p.s. So happy to see that you finally moved from Tomcat 6 to 8.5. Perhaps you can share that experience in a separate thread and let others know if you ran into any major problems during that process. > > mt> OpenJDK is very close to the Oracle JDK these days. I > mt> regularly run Tomcat's unit tests with the latest OpenJDK > mt> and have yet to find an issue that is OpenJDK specific. > mt> > mt> Tomcat runs happily (and is supported) on a JRE. > mt> > mt> If the JRE has passed the Java TCK then Tomcat should run > mt> on it. I don't think there is an official Tomcat position > mt> but my expectation is if a Tomcat bug (as opposed to a > mt> Java bug) appears when running on any Java implementation > mt> that has passed the TCK then the Tomcat team would treat > mt> that as a Tomcat bug and fix it. > > All good to know. > > cjb> I am imagining spending all my time being taken up by > cjb> Java upgrades with subsequent builds, regression testing, > cjb> red tape, and deployments > > mt> I'd plan to stick to the LTS releases. > > Meh, not my call. Whatever the Powers That Be decide for the production > environment, I'll probably match that in dev. If they decide LT$ is the > way to go, using the JDK will cost nothing for my dev environment anyway. > But if OpenJDK and frequent updates are selected ... phooey. > > -- > Cris Berneburg > CACI Lead Software Engineer > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
