Which is more secure: Tomcat standalone or Tomcat behind Apache?

Posted by NoozNooz42 on Server Fault See other posts from Server Fault or by NoozNooz42
Published on 2010-06-10T19:14:09Z Indexed on 2010/06/10 19:24 UTC
Read the original article Hit count: 327

Filed under:
|
|
|

This question is not about performance, nor about load-balancing, etc.

Which would be more secure: running Tomcat in standalone mode or running Tomcat behind apache?

The thing is, Tomcat is written in Java and hence it is pretty much immune to buffer overrun/overflow (unless a buffer overrun in a C-written lib used by Tomcat can be triggered, but they're rare [the last I remember was in zlib, many many moons ago] and one heck of a hack to actually exploit), which gets rid of a lot of potential exploits.

This page:

http://wiki.apache.org/tomcat/FAQ/Security

has this to say:

There have been no public cases of damage done to a company, organization, or individual due to a Tomcat security issue... there have been only theoretical vulnerabilities found. All of those were addressed even though there were no documented cases of actual exploitation of these vulnerabilities.

This, combined with the fact that buffer overrun/overflow are pretty much non-existent in Java, makes me believe that Tomcat in standalone mode is pretty secure.

In addition to that, I can install both Java and Tomcat on Linux without needing to be root. The only moment I need to be root is to set up a transparent port 8080 to port 80 forwarding (and 8443 to 443). Two iptables line as root, that's all root is needed for. (I don't know for Apache).

Apache is much more used than Tomcat and definitely does not have a security track record as good as Tomcat.

What would make Tomcat + Apache more secure?

What would make Tomcat + Apache less secure?

In short: which is more secure, Tomcat standalone or Tomcat with Apache? (remembering that performance aren't an issue here)

© Server Fault or respective owner

Related posts about apache

Related posts about tomcat