?
Solved

Implications of Running tomcat on Port 80 (Solaris)

Posted on 2006-04-26
9
Medium Priority
?
3,532 Views
Last Modified: 2013-12-05
Hello,

I am running Apache Tomcat 5.5.15 as a web server on Solaris 10 for x86.

I'm currently running Tomcat on port 8080 but want to run it on port 80 so users do not have to specify the port number when accessing the application.  However, I am concerned that there may be security issues involved with running Tomcat with special privleges.  The standard way to handle this situation is to run Apache httpd server and use a Connector to route servlet traffic to Tomcat.  It is my understanding that Apache is "safer" than Tomcat because it is written in C and has been around longer.  The problem is that I cannot find binaries for Solaris x86 for the Apache Connector.  Building the source ourselves is not an option as we did not purchase the C compiler for the machine.  On a side note, there is no compelling performance reason for using Apache httpd for my particular application.

So I would like to know what the security implications are for running Tomcat on port 80.  
0
Comment
Question by:modle
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16544836
then main problem is that you have to run tomcat as root to access port 80
If you know how to configure tomcat on other ports, you probably also know how to configure it to fork itself as a different user.

If you just worry about running as root, you an tweak solaris to allow access to port 80 without root privileges, but then all ports >= 80 can be access without being root. If this helps ...
0
 
LVL 3

Accepted Solution

by:
zgrp earned 2000 total points
ID: 16545167
Hello,

You have several options, I think the best is use your firewall to make a transparent port redirections for you, so you clients can access youser server in port 80 and it redirect it to 8080, making it much more secure since:

- You will not need any external program to redirect connections from a privilegiated port (80) to a unprivilegied port (8080).

- You will yet be able to run tomcat, apache, whatever as a unprivilegied user.

You can use the IPF Firewall, check this link that examplain how to configure, enable and basic use examples in:
 http://www.homepage.montana.edu/~unixuser/031705/create_solaris_ipf.html

Anyway, you yet can use several common programs in Solaris for free, like Apache, Tomcat, Gcc (a compiter you don't have), ..., download it from SunFreeware:

http://www.sunfreeware.com/indexintel10.html

Hope this help,

Cheers
0
 
LVL 62

Expert Comment

by:gheist
ID: 16546839
Best for tomcat is to put in front apache2 reverse proxy which directs webapps to localhost:8080, and serves static images and page elements like CSS.
In addition it will have more HTTP/1.1 features and wider compatibility.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 17

Expert Comment

by:Dushan De Silva
ID: 16577829
You can use iptables.

BR Dushan
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16578309
Dushan, do you have a link to "iptables for Solaris"?
Anyway, ipnat can be used too ;-)
0
 
LVL 17

Expert Comment

by:Dushan De Silva
ID: 16578468
ahoffmann,
Yes.
http://www.netfilter.org/downloads.html

You can have idea from following solution.
http://www.experts-exchange.com/Security/Firewalls/Q_21304728.html

BR Dushan
0
 
LVL 3

Expert Comment

by:zgrp
ID: 16587748
Hello,

Since it say you can use just "iptables" it make me things it's just a interface to EFS or SunScreen Lite Solaris Firewall, which make me thing (and not surprise me) that it will not use netfilter (that is the firewall core itself for Linux iptables).

My tip goes to keep using native resources. ;)

Hope this help,

Cheers
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16589388
there are no iptables for Solaris, just netfilter with ipf, ipnat, etc.
please correct me if I'm wrong
0
 
LVL 62

Expert Comment

by:gheist
ID: 16590425
Not even netfilter - just ipfilter...
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month13 days, 16 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question