Hello John,
I hate to be pushy, but are you going to post a reply to this question at some point?
Nathan
----- Original Message -----
From: Nathan Ward
To: [EMAIL PROTECTED] ; Tomcat Users List
Sent: Monday, August 04, 2003 11:05 AM
Subject: Why integrate Tomcat with a web server?
I have a question for John Turner about a statement in the book Apache Tomcat
Security.
Page 12 says:
"As discussed earlier, running publicly available web services as root or superuser
is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web
server on port 80 by integrating it with a standard HTTP web server such as Apache,
Microsoft's IIS, or Sun Microsystem's iPlanet."
Question: Does this apply when running under Windows? The reference to "as discussed
earlier" talks about running Tomcat as a service with more permissions than necessary.
Windows defaults to running services as SYSTEM which has administrator privileges.
Fine, but as also mentioned earlier, you can create a user account with less
permissions and setup the service to run Tomcat under that account. So, how does the
statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with
IIS rather than just run Tomcat? There may be performance reasons, but from a security
point of view, is there increased security risks in running Tomcat without IIS when
running as a service under Windows?
Nathan
