On Thursday 05 December 2002 14:24, Tim Funk wrote:
> With tomcat - the there is only one process, the JVM. It is possible to
> bind to port 80 as root to listen on the port, then switch the entire
> process to another (less priviledged) user id. To do this - you need
> class which can call the native OS system call. The bad part about this
> is if something happens to the port 80 and you must reopen it - the
> whole JVM needs restarted.
I have Tomcat running on Linux as a stand alone server but...
1 - It is not running as root but as a normal user
2 - because of 1) is is not possible to run on ports lower than 1024
3 - it is running on port 8080 (http) and 8443 (https)
4 - I have firewall rules which redirects all remote traffic for port
80 (http) to 8080 and port 443 (https) to port 8443
5 - I have firewall rules to allow remote traffic just to port
80, 443, 8080 and 8443.
6 - I have small program running which redirects local traffic from
port 80 to 8080 and port 443 to port 8443
In my opinion, this setup is the best compormise between maintenance and
security. Running Tomcat as root and having WAR-files from customers or other
unknown sources, is a disaster waiting to happen.
Regards,
Cees.
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
