Hello Jan, that would be better yes. For example some time ago, there were a virus that would place a modified jsp in a webapp and try to access further data from it. If the user, the tomcat runs under, would have limited permission, such a malware would have less chances to actually do something harmful. As for my personal opinion and 10++ years of experience with different tomcat version in production environment, (attention, flame war can start here), an apache httpd in front of tomcat does _not_ increase the security _at_all_. In fact I would argue that it adds its buffer overflows and bugs to the bugs that could exists in tomcats code.
regards Leon On Wed, Feb 25, 2015 at 11:13 PM, Jan Tosovsky <j.tosov...@email.cz> wrote: > Dear All, > > there are plenty resources mentioning it is a must to run tomcat as a > dedicated user with limited permissions. > > Is it still true when tomcat doesn't run standalone, but via Apache web > server connected via AJP? That webserver already runs in the restrictive > mode. > > Thanks, Jan > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
