Hi there!
Im making a research about internet banking and e-commerce good practices to design a secure system. I have an application based on servlets running in a Tomcat Server. My application provides secure authentication based in both methods: SSL mutual authentication and form authentication(supplied by Tomcat). All the data that is sent over the network are encrypted(SSL). In my research I discovered that some systems banks that using applications based on servlets( or something based on servlets, like JSP and other things), are using a Web Server like ISS, over a Servlet Container( like Sun Web Server, or possibly Tomcat Server). Why thats happen? Why we have a Web Server over another Web Server, if the low-level Web Server is capable to do everything alone? In my application, client authentication and authorization is controlled by Tomcat Server. Should use I a Apache Server over Tomcat or an IIS server over Tomcat? What kind of security am I providing doing this? My research is in the beginning and the documentation about it is vague, so I apologize if Im saying something wrong. Regards, Bárbara Vieira