RE: Why use a Web Server over Tomcat?
Hi everyone! David, imagine that you are developing a web application to provide services like internet banking. What network architecture would you propose? How will you implement a DMZ? Probably you put a firewall between Web Server and Database Server!! Or not? Regards, Bárbara Vieira -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 9 de Janeiro de 2008 18:35 To: Tomcat Users List Subject: Re: Why use a Web Server over Tomcat? In my CISSP training, we covered the possiblity of putting a web server in between two firewalls. The outer one cleans the course junk out of the data stream like denial of service attacks, web server compromise attackes, malformed packets, as well as closing down server services that should be available to the company, but not the public. The inner one is more fine grained possibly protecting company data assets from disclosure or blocking unapproved websites from being accessed by employees. Just trying to say there is a business case for two firewalls -- it has more to do with protecting company assets than protecting the web server. --David Bárbara Vieira wrote: Alan and Johnny, I agree with Alan. I'm using the same scheme to save passwords in database, and SSL too. But, Johnny's answer help me understand some things. Johnny, when you say: So in those organization Tomcat is probably behind the second internal firewall for staff to use as well. What do you mean? If you have a Tomcat inside a DMZ, usually we have one firewall, that separates internet from intranet, i.e., the firewall filters requests that comes from de outside. Isn't that? Thanks, Regards, Bárbara Vieira -Original Message- From: Alan Chaney [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 9 de Janeiro de 2008 14:10 To: Tomcat Users List Subject: Re: Why use a Web Server over Tomcat? One reason for doing this, is again not whether IIS or APACHE is better although APACHE on linux in the hands of a guru is very good, its because Tomcat carries clear text passwords, so if a hacker did get at the machine, they would probably see the Active X LDAP master password, I don't understand this comment at all. 'Passwords' in tomcat can be managed by a whole host of authentication schemes. I use SSL to protect access to the password on the net and MD5 encoded passwords in a database for user authentication and access control. It depends entirely upon how you configure your system. Regards Alan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:4784031b130881839419991! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Why use a Web Server over Tomcat?
Hi Mikolaj! Thanks for your help. But my question isn't just about design a DMZ. It's much more. And answering your question: yes, google is not enough. There are certain questions that google doesn't answer. Regards, Bárbara Vieira -Original Message- From: Mikolaj Rydzewski [mailto:[EMAIL PROTECTED] Sent: quinta-feira, 10 de Janeiro de 2008 14:59 To: Tomcat Users List Subject: Re: Why use a Web Server over Tomcat? Bárbara Vieira wrote: David, imagine that you are developing a web application to provide services like internet banking. What network architecture would you propose? How will you implement a DMZ? Probably you put a firewall between Web Server and Database Server!! Or not? Am I right that google is not enough for you? http://www.google.com/search?q=how+to+design+dmz -- Mikolaj Rydzewski [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Why use a Web Server over Tomcat?
Bárbara Vieira wrote: David, imagine that you are developing a web application to provide services like internet banking. What network architecture would you propose? How will you implement a DMZ? Probably you put a firewall between Web Server and Database Server!! Or not? Am I right that google is not enough for you? http://www.google.com/search?q=how+to+design+dmz -- Mikolaj Rydzewski [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: Why use a Web Server over Tomcat?
Hi Barbara, Sorry still on holiday, not reading email every day... Read this articlae by one of the tomcat gurus... nice and academic, has calcs on load factors etc... That Secure generic configuration... is how I was thinking but a bank will genearlly be even more paranoid. Like for example a bank IT reads about something like exploiting buffer overflows in IIS, or some other creative hack that gets the hacker into the network and they will probably go for something like this... http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci906407,00.html See dual firewalls... put them together and you probably have what bankers would consider good protection.. ie even if the hacker hacked a machine in the DMZ and got onto the network... Tomcat the machine with sensitive access to other services... is still behind another firewall. Smaller organizations would typically just have a router firewall, and a server behind it... if that server is a linux box setup correctly... it also becomes a quasi firewall... possibly with dual network connections, and Tomcat, or Apache running and linux guys would probably consider that very secure as well. Linux is a little grey, because it literally can become anything but in concept, something like the above is happening Google there is tons of info and various levels of paranoa ;) --- HARBOR: http://coolharbor.100free.com/index.htm The best application server on earth --- - Original Message - From: Bárbara Vieira [EMAIL PROTECTED] To: 'Tomcat Users List' users@tomcat.apache.org; [EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 6:30 PM Subject: RE: Why use a Web Server over Tomcat? Alan and Johnny, I agree with Alan. I'm using the same scheme to save passwords in database, and SSL too. But, Johnny's answer help me understand some things. Johnny, when you say: So in those organization Tomcat is probably behind the second internal firewall for staff to use as well. What do you mean? If you have a Tomcat inside a DMZ, usually we have one firewall, that separates internet from intranet, i.e., the firewall filters requests that comes from de outside. Isn't that? Thanks, Regards, Bárbara Vieira -Original Message- From: Alan Chaney [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 9 de Janeiro de 2008 14:10 To: Tomcat Users List Subject: Re: Why use a Web Server over Tomcat? One reason for doing this, is again not whether IIS or APACHE is better although APACHE on linux in the hands of a guru is very good, its because Tomcat carries clear text passwords, so if a hacker did get at the machine, they would probably see the Active X LDAP master password, I don't understand this comment at all. 'Passwords' in tomcat can be managed by a whole host of authentication schemes. I use SSL to protect access to the password on the net and MD5 encoded passwords in a database for user authentication and access control. It depends entirely upon how you configure your system. Regards Alan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:4784031b130881839419991! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Why use a Web Server over Tomcat?
--- HARBOR: http://coolharbor.100free.com/index.htm The best application server on earth --- - Original Message - From: Johnny Kewl [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, January 10, 2008 10:27 PM Subject: Re: Why use a Web Server over Tomcat? Hi Barbara, Sorry still on holiday, not reading email every day... Read this articlae by one of the tomcat gurus... nice and academic, has calcs on load factors etc... http://people.apache.org/~mturk/docs/article/ftwai.html That Secure generic configuration... is how I was thinking but a bank will genearlly be even more paranoid. Like for example a bank IT reads about something like exploiting buffer overflows in IIS, or some other creative hack that gets the hacker into the network and they will probably go for something like this... http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci906407,00.html See dual firewalls... put them together and you probably have what bankers would consider good protection.. ie even if the hacker hacked a machine in the DMZ and got onto the network... Tomcat the machine with sensitive access to other services... is still behind another firewall. Smaller organizations would typically just have a router firewall, and a server behind it... if that server is a linux box setup correctly... it also becomes a quasi firewall... possibly with dual network connections, and Tomcat, or Apache running and linux guys would probably consider that very secure as well. Linux is a little grey, because it literally can become anything but in concept, something like the above is happening Google there is tons of info and various levels of paranoa ;) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Why use a Web Server over Tomcat?
Apache is considerably lighter on its feet to serve static pages and images quicker than TC Apache's HTTP server resource management algorithm revolves around Prefork MPM OK if you have 1-10 processes..considerably more problematic when Apache attempting to manage 100 concurrent processes Tomcat's superior multi-threading can manage multiple resources much more effectively.. Anyone else? M-- - Original Message - From: Alan Chaney [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, January 09, 2008 9:09 AM Subject: Re: Why use a Web Server over Tomcat? One reason for doing this, is again not whether IIS or APACHE is better although APACHE on linux in the hands of a guru is very good, its because Tomcat carries clear text passwords, so if a hacker did get at the machine, they would probably see the Active X LDAP master password, I don't understand this comment at all. 'Passwords' in tomcat can be managed by a whole host of authentication schemes. I use SSL to protect access to the password on the net and MD5 encoded passwords in a database for user authentication and access control. It depends entirely upon how you configure your system. Regards Alan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:4784031b130881839419991! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Why use a Web Server over Tomcat?
Alan and Johnny, I agree with Alan. I'm using the same scheme to save passwords in database, and SSL too. But, Johnny's answer help me understand some things. Johnny, when you say: So in those organization Tomcat is probably behind the second internal firewall for staff to use as well. What do you mean? If you have a Tomcat inside a DMZ, usually we have one firewall, that separates internet from intranet, i.e., the firewall filters requests that comes from de outside. Isn't that? Thanks, Regards, Bárbara Vieira -Original Message- From: Alan Chaney [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 9 de Janeiro de 2008 14:10 To: Tomcat Users List Subject: Re: Why use a Web Server over Tomcat? One reason for doing this, is again not whether IIS or APACHE is better although APACHE on linux in the hands of a guru is very good, its because Tomcat carries clear text passwords, so if a hacker did get at the machine, they would probably see the Active X LDAP master password, I don't understand this comment at all. 'Passwords' in tomcat can be managed by a whole host of authentication schemes. I use SSL to protect access to the password on the net and MD5 encoded passwords in a database for user authentication and access control. It depends entirely upon how you configure your system. Regards Alan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:4784031b130881839419991! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Why use a Web Server over Tomcat?
From: Martin Gainty [mailto:[EMAIL PROTECTED] Subject: Re: Why use a Web Server over Tomcat? Apache is considerably lighter on its feet to serve static pages and images quicker than TC While that was true several years ago, the current versions of Tomcat achieve virtually identical performance when delivering static content. Adding the overhead of another comm node for every request will hurt performance, not enhance it. Others have presented valid reasons for using httpd, but performance isn't one of them. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Why use a Web Server over Tomcat?
In my CISSP training, we covered the possiblity of putting a web server in between two firewalls. The outer one cleans the course junk out of the data stream like denial of service attacks, web server compromise attackes, malformed packets, as well as closing down server services that should be available to the company, but not the public. The inner one is more fine grained possibly protecting company data assets from disclosure or blocking unapproved websites from being accessed by employees. Just trying to say there is a business case for two firewalls -- it has more to do with protecting company assets than protecting the web server. --David Bárbara Vieira wrote: Alan and Johnny, I agree with Alan. I'm using the same scheme to save passwords in database, and SSL too. But, Johnny's answer help me understand some things. Johnny, when you say: So in those organization Tomcat is probably behind the second internal firewall for staff to use as well. What do you mean? If you have a Tomcat inside a DMZ, usually we have one firewall, that separates internet from intranet, i.e., the firewall filters requests that comes from de outside. Isn't that? Thanks, Regards, Bárbara Vieira -Original Message- From: Alan Chaney [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 9 de Janeiro de 2008 14:10 To: Tomcat Users List Subject: Re: Why use a Web Server over Tomcat? One reason for doing this, is again not whether IIS or APACHE is better although APACHE on linux in the hands of a guru is very good, its because Tomcat carries clear text passwords, so if a hacker did get at the machine, they would probably see the Active X LDAP master password, I don't understand this comment at all. 'Passwords' in tomcat can be managed by a whole host of authentication schemes. I use SSL to protect access to the password on the net and MD5 encoded passwords in a database for user authentication and access control. It depends entirely upon how you configure your system. Regards Alan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:4784031b130881839419991! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Why use a Web Server over Tomcat?
Hi there! Im making a research about internet banking and e-commerce good practices to design a secure system. I have an application based on servlets running in a Tomcat Server. My application provides secure authentication based in both methods: SSL mutual authentication and form authentication(supplied by Tomcat). All the data that is sent over the network are encrypted(SSL). In my research I discovered that some systems banks that using applications based on servlets( or something based on servlets, like JSP and other things), are using a Web Server like ISS, over a Servlet Container( like Sun Web Server, or possibly Tomcat Server). Why thats happen? Why we have a Web Server over another Web Server, if the low-level Web Server is capable to do everything alone? In my application, client authentication and authorization is controlled by Tomcat Server. Should use I a Apache Server over Tomcat or an IIS server over Tomcat? What kind of security am I providing doing this? My research is in the beginning and the documentation about it is vague, so I apologize if Im saying something wrong. Regards, Bárbara Vieira
RE: Why use a Web Server over Tomcat?
From: Kristian Rink [mailto:[EMAIL PROTECTED] Asides this, while tomcat and friends (servlet containers) are made to serve up, well, J2EE web tier applications, web servers like apache2, lighttpd, ... are usually better at serving static content (images, static css files, html documents that don't contain any logic, ...). Review the list archives for the disproof of this myth. Tomcat 5.0 and above are quite capable of serving static content, efficiently enough that you'll saturate your network connection long before you saturate disk, memory or CPU. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Why use a Web Server over Tomcat?
Bárbara, Am Tue, 8 Jan 2008 11:13:34 - schrieb Bárbara Vieira [EMAIL PROTECTED]: [...] Why thats happen? Why we have a Web Server over another Web Server, if the low-level Web Server is capable to do everything alone? To give you an example: We do use a set of tomcat machines (four nodes, currently) to carry our enterprise application, having an apache web server in front of those to do load balancing / failover clustering. Asides this, while tomcat and friends (servlet containers) are made to serve up, well, J2EE web tier applications, web servers like apache2, lighttpd, ... are usually better at serving static content (images, static css files, html documents that don't contain any logic, ...). And, to add another point: Maybe your choice of technology is not limited to J(2)EE but also does include PHP, Python, Perl (be that in applications of your own and/or in some content management system to serve your company web site), this is what you usually want to have a non-J2EE web server for. :) Cheers, Kristian -- Kristian Rink * http://zimmer428.net * http://flickr.com/photos/z428/ jab: [EMAIL PROTECTED] * icq: 48874445 * fon: ++49 176 2447 2771 One dreaming alone, it will be only a dream; many dreaming together is the beginning of a new reality. (Hundertwasser) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Why use a Web Server over Tomcat?
Review the list archives for the disproof of this myth. Tomcat 5.0 and above are quite capable of serving static content, efficiently enough that you'll saturate your network connection long before you saturate disk, memory or CPU. So unless you have one of the situations like those described by Kristian. Like having other technologies like PHP you don't have to make load balance with Apache 2. Its way better to make a load balance with several Tomcats since you can make a load balance of your dynamic content too. On Jan 8, 2008 9:56 AM, Peter Crowther [EMAIL PROTECTED] wrote: From: Kristian Rink [mailto:[EMAIL PROTECTED] Asides this, while tomcat and friends (servlet containers) are made to serve up, well, J2EE web tier applications, web servers like apache2, lighttpd, ... are usually better at serving static content (images, static css files, html documents that don't contain any logic, ...). Review the list archives for the disproof of this myth. Tomcat 5.0 and above are quite capable of serving static content, efficiently enough that you'll saturate your network connection long before you saturate disk, memory or CPU. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Diego
RE: Why use a Web Server over Tomcat?
Diego and Kristian, I understand your perspective. But, my question is about security. Why systems banks use an IIS Server instead of an Apache Server over a Tomcat Server(or some servlet container), if that systems authenticate the client using servlets technology or some technology supplied by some servlet container like Tomcat? I understand the fact that systems uses a Web Server over another to serve static content. But if in my application all content is closed, i.e., every client that wants to accede to that content must be authenticated and that authentication is controlled by Tomcat. Should I have some Web Server over Tomcat? I think that if I have an Apache Server over Tomcat, it causes an overhead, because all requests sent to Apache, must be sent to Tomcat. Regards, Bárbara Vieira -Original Message- From: Diego [mailto:[EMAIL PROTECTED] Sent: terça-feira, 8 de Janeiro de 2008 12:06 To: Tomcat Users List Subject: Re: Why use a Web Server over Tomcat? Review the list archives for the disproof of this myth. Tomcat 5.0 and above are quite capable of serving static content, efficiently enough that you'll saturate your network connection long before you saturate disk, memory or CPU. So unless you have one of the situations like those described by Kristian. Like having other technologies like PHP you don't have to make load balance with Apache 2. Its way better to make a load balance with several Tomcats since you can make a load balance of your dynamic content too. On Jan 8, 2008 9:56 AM, Peter Crowther [EMAIL PROTECTED] wrote: From: Kristian Rink [mailto:[EMAIL PROTECTED] Asides this, while tomcat and friends (servlet containers) are made to serve up, well, J2EE web tier applications, web servers like apache2, lighttpd, ... are usually better at serving static content (images, static css files, html documents that don't contain any logic, ...). Review the list archives for the disproof of this myth. Tomcat 5.0 and above are quite capable of serving static content, efficiently enough that you'll saturate your network connection long before you saturate disk, memory or CPU. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Diego - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Why use a Web Server over Tomcat?
Bárbara, Am Tue, 8 Jan 2008 13:53:11 - schrieb Bárbara Vieira [EMAIL PROTECTED]: I understand your perspective. But, my question is about security. Why systems banks use an IIS Server instead of an Apache Server over a Tomcat Server(or some servlet container) [...] For what I have seen about online banking systems around here, some of them do use an IIS to do their web hosting (eventually by making use of some internal CMS to actually include/edit content) but the actual banking solution they do use is a J(2)EE application in some app server. In such a scenario, they are required to somehow create an integrated environment (with a behaviour seamless to the user), to somehow linking, say, IIS and the J(2)EE app server / servlet container. I understand the fact that systems uses a Web Server over another to serve static content. But if in my application all content is closed, i.e., every client that wants to accede to that content must be authenticated and that authentication is controlled by Tomcat. There's more to security than just authentication. In our environment, the tomcat installations are on production servers in our LAN fully accessible to our internal users desktop clients (including some more services for document / file access), and external access (from the outside internet) is done via an apache2 reverse proxy living in a DMZ segment. This way, I can keep people from directly accessing my productive systems, which is helpful to say the very least. ;) Cheers, Kristian -- Kristian Rink * http://zimmer428.net * http://flickr.com/photos/z428/ jab: [EMAIL PROTECTED] * icq: 48874445 * fon: ++49 176 2447 2771 One dreaming alone, it will be only a dream; many dreaming together is the beginning of a new reality. (Hundertwasser) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Why use a Web Server over Tomcat?
Bárbara Vieira wrote: I understand your perspective. But, my question is about security. Why systems banks use an IIS Server instead of an Apache Server over a Tomcat Server(or some servlet container), if that systems authenticate the client using servlets technology or some technology supplied by some servlet container like Tomcat? I understand the fact that systems uses a Web Server over another to serve static content. But if in my application all content is closed, i.e., every client that wants to accede to that content must be authenticated and that authentication is controlled by Tomcat. Should I have some Web Server over Tomcat? I think that if I have an Apache Server over Tomcat, it causes an overhead, because all requests sent to Apache, must be sent to Tomcat. There's no simple answer. Running apache in front of tomcat has advantages: * load balancing / failover * static content handling (I know, tomcat behaves better and better, but some people want to have apache handle this) * easy integration of webapps from remote hosts * probably more... Easy integration of webapps from remote hosts: it's trivial (thanks to mod_jk or mod_proxy_ajp) to have one apache based virtual host with several remote apps /app1 /app2 /app3 /app4 running on different tomcat servers instead of one giantic tomcat server running all of them in one JVM. -- Mikolaj Rydzewski [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: Why use a Web Server over Tomcat?
On Tue, Jan 08, 2008 at 03:17:38PM +0100, Mikolaj Rydzewski wrote: There's no simple answer. Running apache in front of tomcat has advantages: * load balancing / failover * static content handling (I know, tomcat behaves better and better, but some people want to have apache handle this) * easy integration of webapps from remote hosts * probably more... * no need to fiddle with the weird Java-only truststore library files when providing certificates * no need to discover the specific incantation for your system that will allow Tomcat to open low-numbered ports (80, 443) and yet run as a nonprivileged user (not an issue on Windows, which lacks the notion of privileged ports) * easily throw up an informative page (service will resume by nn:nn) when taking services down for maintenance, instead of returning port-not-reachable * many many well-tested specialty modules for Apache HTTPD should you need to do something out of the ordinary -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is intuitive he means the exact opposite. smime.p7s Description: S/MIME cryptographic signature
Re: Why use a Web Server over Tomcat?
--- HARBOR: http://coolharbor.100free.com/index.htm The best application server on earth --- - Original Message - From: Bárbara Vieira [EMAIL PROTECTED] To: 'Tomcat Users List' users@tomcat.apache.org Sent: Tuesday, January 08, 2008 1:13 PM Subject: Why use a Web Server over Tomcat? Hi there! I'm making a research about internet banking and e-commerce good practices to design a secure system. I have an application based on servlets running in a Tomcat Server. My application provides secure authentication based in both methods: SSL mutual authentication and form authentication(supplied by Tomcat). All the data that is sent over the network are encrypted(SSL). In my research I discovered that some systems banks that using applications based on servlets( or something based on servlets, like JSP and other things), are using a Web Server like ISS, over a Servlet Container( like Sun Web Server, or possibly Tomcat Server). Why that's happen? Why we have a Web Server over another Web Server, if the low-level Web Server is capable to do everything alone? In my application, client authentication and authorization is controlled by Tomcat Server. Should use I a Apache Server over Tomcat or an IIS server over Tomcat? What kind of security am I providing doing this? == I dont think in the context of your question it really matters. I think what you seeing is a DMZ http://en.wikipedia.org/wiki/Demilitarized_zone_(computing) The web server lives in the DMZ and it provides good security, read up on the idea of DMZ. After that its just a matter of preference, the Admin guys probably know MS stuff and not linux, so they have opted for IIS. So in those organization Tomcat is probably behind the second internal fire wall for staff to use as well. It probably still runs on port 8080 and thus a hacker has to break in through 2 firewalls to get at TC. One reason for doing this, is again not whether IIS or APACHE is better although APACHE on linux in the hands of a guru is very good, its because Tomcat carries clear text passwords, so if a hacker did get at the machine, they would probably see the Active X LDAP master password, as well as those for sensitive dB's they protecting the machine, not the web pages via SSL I think ;) == My research is in the beginning and the documentation about it is vague, so I apologize if I'm saying something wrong. Regards, Bárbara Vieira - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
