On Sun, 29 Sep 2002 [EMAIL PROTECTED] wrote:
> Kent,
> I think we are on the same track , Apache was designed for that purposes
> , is more robust and mature and certainly has less security related
> issues.
>
Regarding maturity, I presume you're talking about 1.3, right? The Apache
2.0 code is quite a lot newer.
The latter comment (less security related issues) has not been true
lately, if you watch the security bulletins closely. Although Tomcat just
had a security update, the problem was exposure of JSP source code --
substantially less of a dangerous problem than the two recent buffer
overflow vulnerabilities that Apache has had (both in the last couple of
months).
The previous Tomcat security problem was also a source exposure
issue, and was over a year ago. Thanks primarily to the Java programming
language, it's pretty difficult to have the kinds of "you can cause the
execution of arbitrary code" problems that anything written in C
(including Apache's httpd server) can be subject to. No such problem has
occurred in Tomcat during the four years I've been involved in it, whereas
Apache and its associated modules have had several.
IMHO, anyone who goes to all the extra effort of configuring
Apache+Tomcat, instead of Tomcat alone, is nuts unless they need it.
Valid reasons to need it include:
* Tomcat standalone is not fast enough (note that this is different
from a rule saying select the "fastest possible" solution -- that
turns out not to be a requirement in every scenario).
* You need the extra features that Apache provides (such as integration
with existing modules).
* You need to run on port 80 in an environment that requires root
for this.
* You already know how to configure it, so there's no extra
learning curve.
Blindly installing Apache+Tomcat because "that's the thing to do" is a
waste of effort in many scenarios.
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
