On Sunday 16 May 2010 19:18:47 Caldarale, Charles R wrote: > > From: Markus Mehrwald [mailto:mmehrw...@gmx.at]
[...] > > Additionally we can use mod_security to precheck requests > > delivered to tomcat to remove use- and sensless requests > > and minimise the risk of attacks. > > Why do you think httpd is less susceptible to attacks than Tomcat is? > Adding complexity usually increases risk, not the other way around. Do you actually know mod_security? This is not randomly adding complexity. mod_security checks requests according to rules that can be site- or application-specific, and therefore try to prevent attacks on the application rather than on Tomcat or httpd. This is real additional functionality and so an absolutely valid reason to put httpd in front of Tomcat. Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org