On 22/08/2008, at 3:18 PM, ute Hoffmann wrote:
Hallo,
a possible clients provider said, that they have fear that a
WebObjects App on a LInux would be a
security problem. As the port to Linux is really a hack it would
pose problems with the possibility of teh server
being hacked because of that.
The security of your webobjects deployment is going to be virtually
the same no matter what platform you deploy on. The variables you have
to consider are the security of the platform itself, the security of
the JVM on that platform, and if you are not deploying as a servlet
the security of the woadaptor plugin, which uses the same code on all
platforms and is very well tested and reviewed code. There is no
"hacking" involved, just copying of files and installation of a plugin
if necessary.
Can someone who deploys on Linux (in my case debian, but... I
suppose the linux breed is not relevant here)
please comment on that. Are there measures I can take to ensure,
there is no security risk coming from this setup?
There shouldn't be any need to do anything other than the normal
security measures your would take to secure a publicly accessible
system. Doing a split deployment of a Web Server in a DMZ and your
Application Server and Database Server behind a firewall will provide
a level of security not normally available to PHP based deployments.
I was also told, they feared a performance problem if a WebObjects
app would connect to the mysql database
they build (which is used for other purposes as well). Has anyone
experience with a App with higher traffic
(about 240.000 hits per day, most of that read only. About 3000
concurrent users). Can a WebObjects app pose a problem
to database performace in such a case (or in any case)?
The only problem you are likely to have is a possible scaling issue if
the load placed on the database by your application exceeds the
capabilities of the server it is running on, or the database isn't
sufficiently tuned and indexed to handle the queries being executed,
but these issues are database level ones and really has nothing to do
with what your application is written in. The more likely WO related
issue you are going to be faced with is, if your app isn't read only,
how to handle primary key creation between WO and the other apps using
the database. It is a pretty safe bet that PHP+MySQL = Autoinc for
unique key creation.
I was advised to let the website programm in php instead (preferably
by the provider itself, I think, but that was not said, of course).
PHP security is often referred to as an oxymoron. PHP historically
does not have a very good track record for a) providing an environment
that encourages secure design, in fact writing truly secure php code
is often considered quite difficult or b) providing a deployment
platform free of implementation vulnerabilities.
Purely by its design a WebObjects application stands a good chance of
being secured against most forms of attack with very little effort on
behalf of the developer. The same cannot be said for PHP.
Would php have any advantages in respect to the database performance
(or to performance in general)?
PHP offers no advantages, except perhaps that it uses less memory, but
that's only a resource consideration not a performance one. If
anything WebObjects stands a good chance of providing better
performance and impacting the database less due to its stateful
nature, the ability to do aggressive caching, and the inherit
scalability of its design. PHP is stateless and is generally unable to
cache anything in a scalable way outside of the current session.
Or would it have a clear advantage in respect to security (what I
really doubt, php can be as insecure as anything else, depending on
the usage).
PHP's design was not influenced by a requirement to be able to write
secure code easily. Changes over the years have made it harder to
write insecure code, but doing so is by no means a requirement.
Any hints welcome.
Thanks a lot!
Regards,
Ute
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-deploy mailing list (Webobjects-
[EMAIL PROTECTED])
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-deploy/qdolan%40gmail.com
This email sent to [EMAIL PROTECTED]
--
Seeya...Q
Quinton Dolan - [EMAIL PROTECTED]
Gold Coast, QLD, Australia (GMT+10)
Ph: +61 419 729 806
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-deploy mailing list (Webobjects-deploy@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-deploy/archive%40mail-archive.com
This email sent to [EMAIL PROTECTED]
