|
WebApp Sec
mailing list archives
Re: Tomcat on port 80 or Java as root
From: Aleksi Kallio <aleksi.kallio () csc fi>
Date: Fri, 12 Mar 2004 16:54:41 +0200
> AFAIK tomcat is a servlet container running on apache.
> well... apache webserver should never be run as "root" for various
security
> reasons.
>
Tomcat was running on Apache years ago. Nowadays Tomcat is a standalone
web+application server.
It is true that running Tomcat with root privileges is not a good idea,
though Tomcat has quite a good track record in security. The problem is
that Tomcat is 100% Java and OS-dependant stuff like changing to lesser
than root permissions after startup is not possible. Of course you can
run in >1024 ports, but if you want to use 80, there are at least two
good possibilities:
- Use Apache as front end and mod_jk2/AJP for communication between
Apache and Tomcat
- Use iptables to route traffic between 80 and the actual port Tomcat uses
The AJP-protocol could be documented a lot better and the Apache-Tomcat
cooperation requires some extra configuring, so I would recommend the
latter one. It has worked perfectly and takes twenty seconds to implement.
 By Date 
By Thread
Current thread:
|
Intro
