The company I work for sells a J2EE application that runs on Tomcat, WebSphere, or WebLogic. We have a customer that is trying to decide between Tomcat and WebSphere. They're leaning towards WebSphere because they're concerned that Tomcat has more security holes.
After searching around on the web, I've been unable to find any sites or studies that compare the robustness of the major J2EE application servers from a security standpoint.
Can any of you point me to information comparing app server security holes?
It's interesting that your client is "concerned that Tomcat has more security holes." I wonder if they could list what those holes are? If they can't, it's hearsay and FUD.
I would say that all web servers/servlet engines suffer from the same issues. It's the applications that are deployed on them that represent the real security holes. Cross-site scripting, SQL injection, lack of input validation, exposure of sensitive data due to poor layering and practices - these are all application issues that will be problems regardless of which app server you choose.
My personal opinion is that WebLogic is the best Java EE app server on the market. I don't have first-hand experience with WebSphere, but people that I respect who have tell me that it's a horror show. I've only used Tomcat for local development. It's never failed me, but that's hardly production experience. I have no idea how it scales.
I'd think carefully about Spring's dm Server, based on Tomcat, Spring, and OSGi. I have a feeling that it represents a future direction that all its competitors will be taking.
I'd say use tomcat over WebSphere if at all possible.
I think 99% of security is how you set it all up.
Are you also evaluating the security implications of Apache HTTP Server, IBM HTTP Server, and IIS?
Security involves so much more than just what application server you choose to run your webapp on.
Tomcat security report
Websphere security report (You have to dig into each update to see what was fixed)
In my experience, WebSphere isn't adding anything that isn't spec (and thus somewhat supported on Tomcat). The problem comes when trying to do some more complex security tricks (admin authentication using SecureID or something) you need to dig much deeper. WebSphere tries to put more of that in the UI Console.
That being said, your company should look at testing on Glassfish. It uses Tomcat as it's servlet container, but adds a much better UI for management.
According to this article, WebSphere community addition is no different than Tomcat 5.5 in terms of the servlet engine. In my opinion, this decision should be based on overall features needed rather than perceived "security holes".
Several different surveys have confirmed that Tomcat is running at over 60% of organizations worldwide, including the largest banks. As others have said, Tomcat security is not the issue. What "Plain Vanilla" Tomcat lacks is the console and UI which many enterprises require for access controls, diagnostics, monitoring, alerts and provisioning. Check out Tcat server from MuleSoft. It's 100% Tomcat (no fork), but has the enterprise capabilities for running Tomcat.
I can't say whether one is better than the other as I have never used Tomcat, and you really haven't defined what your security requirements are. Security can be a rather large beast and involve varying levels. So you will need well defined requirements to even determine what Security features are required.
We use Websphere integrated with several other IBM products to provide secure access to our application, which has been working well for us so far. You can look up Webseal and the Tivoli line of products for added security to WebSphere.
Related
I know that Tomcat is a web server but why it is not an application server?
Any server needs to follow some specification. What is that spec?
Is it possible for apache to make the tomcat application server?
Also I have read in a blog that the tomcat do not have some lib to act as an application server. What are those libs?
Thanks
I've heard once the following explanation I tend to agree with:
There is a spec of JEE (Java enterprise edition).
Formally you can think about it as a bunch of pdf-s describing the behavior of various technologies that comprise the JEE stack (for example: JMS, EJB, JPA, JPA, JSF, CDI and so on and so forth) as well as deployment models (EARs for example).
Implementors of Application servers have to implement all those technologies and offer interfaces that can be used by the application developers. So teams that stand behind WildFly (former JBoss), Geronimo, WebSphere, WebLogic and so on have read these specs and implemented everything in there.
Now, Tomcat didn't do that, they've only concentrated on (primarily) Servlets/JSPs. These are web technologies, so Tomcat can't be considered as an Application server that implements the whole JEE stack.
In general Tomcat (as well as Jetty, incidentally) should be more lightweight than full JEE compliant Application servers, it should start-up faster and it memory footprint should be smaller. So Tomcat/Jetty call themselves web servers.
I understand that this answer can be considered as speculation, but for me it makes a lot of sense.
Bellow is my perceive:
know that Tomcat is a web server but why it is not an application server?
Here, Application Server is specially for Java EE Server,Java EE is a huge specific collections for Enterprice Application Development,So Application Server should implement most specifics of these, while Tomcat(or Jetty) is only a Web Server(More accurately,Servlet Container),they only implements the specific about Web(such as Servlet Spec(JSR340), JSP(JSR245)). Therefore,Application Server is stronger than Web Server,but Web Server is more lightweight and enough to satisfy most web applications.
Any server needs to follow some specification. What is that spec?
Of course,it depends on that your Server want to provide what services(functions),these specifications can view here.
Is it possible for apache to make the tomcat application server?
I don't think apache will make tomcat to be an application server. Now, there are some popular Java EE Server: Jboss,WebLogic, etc. Not all enterprices need a heavyweight Application Server, on the contrary, most only need a lightweight Web Server。
Also I have read in a blog that the tomcat do not have some lib to act as an application server. What are those libs?
Tomcat only need care the specs about Web,and implements them.
Hope for your help.
We are trying to deploy java restful webservies, which we have implemented using jersey, in unlimitedgb.com webhost. Which provides java7 and tomcat7.
When we had a chat with the technical support team of unlimitedgb, they replied saying "Sorry we are not providing support for JERSEY in java private JVM".
In our local system which consists of java7 and tomcat7, it works fine.
As per my knowledge as jersey provides api's for restful webservice development, so there must not be any dependency on the server or server's architecture or may be some other internals. So jersey must work with java 1.6 and above.
But when I got reply from the technical support team that they don't support jersey I was really confused and started thinking if there is really any dependency of jersey on server or server architecture.
I feel the support team is not having any technical details about jersey.
I have not purchased the web host yet.
Please help me with the technical details so that I can go ahead in purchasing the web host.
I am not sure how much this would help but I used Jelastic and was able to deploy the war and host Jersey APIs without any support.
So, I am pretty confident with your own private VPS hosting, you should be able to get it working.
When support says, 'we don't support that', what they mean is, we won't answer your questions about that topic.
Jersey should be completely fine in that environment, however, you should write a suite of tests, so that when you change JVM you'll be notified of strange failures due to differences in the JVM. Testing jersey
If you want a completely Java EE-container-free rest environment, check out RestExpress
I am working at a startup, we are just about to roll out our first beta. Knowing that we will be having a good number of users, we want to have seamlessly deployment when we are adding new features.
I have worked with windows azure before, and I know they support seamless deployment, so I did some googling and cloudbees was the first result.
So the question is, with what we have now (geronimo server, rackspace hosting), is it possible to seamlessly redeploy a java web application? If so, how?
Are there other alternative solution, such as using another hosting provider or use a different web server? (Because it is a startup, it would be beneficial if the answer keeps scalability in mind)
If with a seamless redeploy, you mean an upgrade of your application without any downtime or restarting of your server, LiveRebel might be something to look at.
See http://zeroturnaround.com/liverebel
There are a lot of methods for doing this in the java world. If you don't use sessions (or use shared sessions between app servers) you can do a rolling stop/deploy/start of your appservers, taking 1 offline at a time and using a load balancer to ensure that traffic goes to the other servers.
I have heard Glassfish has such feature, the reference probably ment this (Glassfish 3.x redeploy command) : http://docs.oracle.com/cd/E19798-01/821-1758/6nmnj7q1h/index.html
I am looking for a single sign on framework in java which supports Weblogic 10.3 and Jboss 4.2.2 and 5.1. JOSSO supports weblogic and jboss both but I am having lot of problems in weblogic (Session expiry issues, its not working on root context, different workflow for jboss and weblogic etc.). I am tired of JOSSO now. Please suggest me a stable SSO framework which works in jboss and weblogic.
What about an alternative like OpenID?
If you are able to use Spring security you can choose from several SSO options including CAS, Cloudseal and OpenId. A great benefit of Spring is that it sits at the application level (i.e. inside the WAR/EAR) and therefore eliminates many of the platform specific "gotchas" like the ones you are experiencing.
Of course if you aren't able to use Spring my solution is of little use! :)
Cloudseal includes a standard Java EE servlet filter which certainly works on JBoss (I have used it). I haven't tried it on Weblogic though.
I am looking at this question from someone with a Microsoft background. If I wanted to get to know the EJB world, who are the leading players in terms of implementations?
Open source implementations of the EJB spec would be Glassfish from Sun, Geronimo from Apache, JBOSS from JBOSS.org (the open source version, not the Red Hat one), or OpenEJB running under Tomcat.
If you have cash to burn on licenses, try WebLogic from Oracle/BEA or WebSphere from IBM.
If money is no object, I think WebLogic is the best tool on the market.
If money is a concern, I think Glassfish gives you the best chance of being on the bleeding edge of the standard implementation.
The leading commercial providers are Weblogic (now owned by Oracle) and Websphere.
By far the most commonly used application server is JBoss, which is free. Other free app servers include Glassfish and Geronimo.
IMHO there is increasingly little reason to use a full-blown app server. Spring+JPA/Hibernate in a WEb container like Tomcat or Jetty is far more common. As of EJB 3.1 you will be able to deploy EJBs in a Web container.