Implications of Running tomcat on Port 80 (Solaris)

Hello,

I am running Apache Tomcat 5.5.15 as a web server on Solaris 10 for x86.

I'm currently running Tomcat on port 8080 but want to run it on port 80 so users do not have to specify the port number when accessing the application.  However, I am concerned that there may be security issues involved with running Tomcat with special privleges.  The standard way to handle this situation is to run Apache httpd server and use a Connector to route servlet traffic to Tomcat.  It is my understanding that Apache is "safer" than Tomcat because it is written in C and has been around longer.  The problem is that I cannot find binaries for Solaris x86 for the Apache Connector.  Building the source ourselves is not an option as we did not purchase the C compiler for the machine.  On a side note, there is no compelling performance reason for using Apache httpd for my particular application.

So I would like to know what the security implications are for running Tomcat on port 80.  
modleAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
then main problem is that you have to run tomcat as root to access port 80
If you know how to configure tomcat on other ports, you probably also know how to configure it to fork itself as a different user.

If you just worry about running as root, you an tweak solaris to allow access to port 80 without root privileges, but then all ports >= 80 can be access without being root. If this helps ...
0
zgrpCommented:
Hello,

You have several options, I think the best is use your firewall to make a transparent port redirections for you, so you clients can access youser server in port 80 and it redirect it to 8080, making it much more secure since:

- You will not need any external program to redirect connections from a privilegiated port (80) to a unprivilegied port (8080).

- You will yet be able to run tomcat, apache, whatever as a unprivilegied user.

You can use the IPF Firewall, check this link that examplain how to configure, enable and basic use examples in:
 http://www.homepage.montana.edu/~unixuser/031705/create_solaris_ipf.html

Anyway, you yet can use several common programs in Solaris for free, like Apache, Tomcat, Gcc (a compiter you don't have), ..., download it from SunFreeware:

http://www.sunfreeware.com/indexintel10.html

Hope this help,

Cheers
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
Best for tomcat is to put in front apache2 reverse proxy which directs webapps to localhost:8080, and serves static images and page elements like CSS.
In addition it will have more HTTP/1.1 features and wider compatibility.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Dushan De SilvaTechnology ArchitectCommented:
You can use iptables.

BR Dushan
0
ahoffmannCommented:
Dushan, do you have a link to "iptables for Solaris"?
Anyway, ipnat can be used too ;-)
0
Dushan De SilvaTechnology ArchitectCommented:
ahoffmann,
Yes.
http://www.netfilter.org/downloads.html

You can have idea from following solution.
http://www.experts-exchange.com/Security/Firewalls/Q_21304728.html

BR Dushan
0
zgrpCommented:
Hello,

Since it say you can use just "iptables" it make me things it's just a interface to EFS or SunScreen Lite Solaris Firewall, which make me thing (and not surprise me) that it will not use netfilter (that is the firewall core itself for Linux iptables).

My tip goes to keep using native resources. ;)

Hope this help,

Cheers
0
ahoffmannCommented:
there are no iptables for Solaris, just netfilter with ipf, ipnat, etc.
please correct me if I'm wrong
0
gheistCommented:
Not even netfilter - just ipfilter...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.