>Has anyone ever attacked one of your web applications? There are some >fun ways to make an application use a huge amount of memory. Just >because the applications themselves are behaving doesn't mean that all >the users are behaving. > >For example, do you have a max POST size set for your application? If >not, I can send your login form a username that is so long it might >exhaust your heap. 2147483647 characters is a LOT of characters. > >If you have a max POST size, maybe you don't filter-out PUT requests, >and have Tomcat parsing those for you. Same problem, there.
Dear Chris, But that's no argument for or against running more than one application per Tomcat: If you're not aware of such things, one may attack your other Tomcats in the same way because of identical configuration. Of course, if you plan to run a couple of applications per Tomcat, you may also plan to spread it to more than instance to have a fail-over or load balancing . But even if you use a HA-cluster with one App per cluster member: If one is able to crash the Application by a Request on one cluster member, this might be repeated on the other members without noteworthy costs.