简体繁体 English

Tomcat与WebSphere与WebLogic的安全性

[英]Security of Tomcat versus WebSphere versus WebLogic

原文 2008-12-12 12:59:52 2 6 java/ tomcat/ java-ee/ websphere/ weblogic

The company I work for sells a J2EE application that runs on Tomcat, WebSphere, or WebLogic. 我工作的公司销售在Tomcat，WebSphere或WebLogic上运行的J2EE应用程序。 We have a customer that is trying to decide between Tomcat and WebSphere. 我们有一个客户试图在Tomcat和WebSphere之间做出决定。 They're leaning towards WebSphere because they're concerned that Tomcat has more security holes. 他们倾向于WebSphere，因为他们担心Tomcat会有更多安全漏洞。

After searching around on the web, I've been unable to find any sites or studies that compare the robustness of the major J2EE application servers from a security standpoint. 在网上搜索之后，从安全的角度来看，我一直无法找到任何比较主要J2EE应用服务器的健壮性的站点或研究。

Can any of you point me to information comparing app server security holes? 你们有没有人能指出我比较应用程序服务器安全漏洞的信息？

6 个解决方案

It's interesting that your client is "concerned that Tomcat has more security holes." 有趣的是，您的客户“担心Tomcat会有更多的安全漏洞。” I wonder if they could list what those holes are? 我想知道他们是否可以列出这些洞是什么？ If they can't, it's hearsay and FUD. 如果他们不能，那就是道听途说和FUD。

I would say that all web servers/servlet engines suffer from the same issues. 我会说所有的Web服务器/ servlet引擎都有同样的问题。 It's the applications that are deployed on them that represent the real security holes. 它是部署在它们上的应用程序，代表真正的安全漏洞。 Cross-site scripting, SQL injection, lack of input validation, exposure of sensitive data due to poor layering and practices - these are all application issues that will be problems regardless of which app server you choose. 跨站点脚本，SQL注入，缺乏输入验证，由于不良的分层和实践而导致的敏感数据暴露 - 这些都是应用程序问题，无论您选择哪个应用服务器，都会出现问题。

My personal opinion is that WebLogic is the best Java EE app server on the market. 我个人认为WebLogic是市场上最好的Java EE应用服务器。 I don't have first-hand experience with WebSphere, but people that I respect who have tell me that it's a horror show. 我没有使用WebSphere的第一手经验，但我尊重的人告诉我这是一个恐怖节目。 I've only used Tomcat for local development. 我只使用Tomcat进行本地开发。 It's never failed me, but that's hardly production experience. 它永远不会让我失望，但这不是生产经验。 I have no idea how it scales. 我不知道它是如何扩展的。

I'd think carefully about Spring's dm Server, based on Tomcat, Spring, and OSGi. 我会仔细考虑Spring的dm Server，它基于Tomcat，Spring和OSGi。 I have a feeling that it represents a future direction that all its competitors will be taking. 我觉得它代表了所有竞争对手将要采用的未来方向。

I'd say use tomcat over WebSphere if at all possible. 我会说如果可能的话，在WebSphere上使用tomcat。

I think 99% of security is how you set it all up. 我认为99％的安全性就是你如何设置它。

Are you also evaluating the security implications of Apache HTTP Server, IBM HTTP Server, and IIS? 您是否还在评估Apache HTTP Server，IBM HTTP Server和IIS的安全隐患？

Security involves so much more than just what application server you choose to run your webapp on. 安全涉及的不仅仅是您选择运行Web应用程序的应用程序服务器。

Tomcat security report Tomcat安全报告

Websphere security report (You have to dig into each update to see what was fixed) Websphere安全报告（您必须深入了解每个更新以查看修复的内容）

In my experience, WebSphere isn't adding anything that isn't spec (and thus somewhat supported on Tomcat). 根据我的经验，WebSphere没有添加任何非规范（因此在Tomcat上有所支持）。 The problem comes when trying to do some more complex security tricks (admin authentication using SecureID or something) you need to dig much deeper. 当你尝试做一些更复杂的安全技巧（使用SecureID或其他东西的管理员身份验证）时，你需要深入挖掘问题。 WebSphere tries to put more of that in the UI Console. WebSphere尝试将更多内容放在UI控制台中。

That being said, your company should look at testing on Glassfish. 话虽这么说，贵公司应该考虑在Glassfish上进行测试。 It uses Tomcat as it's servlet container, but adds a much better UI for management. 它使用Tomcat作为servlet容器，但为管理添加了更好的UI。

According to this article , WebSphere community addition is no different than Tomcat 5.5 in terms of the servlet engine. 根据这篇文章，在servlet引擎方面，WebSphere社区添加与Tomcat 5.5没有什么不同。 In my opinion, this decision should be based on overall features needed rather than perceived "security holes". 在我看来，这个决定应该基于所需的整体功能，而不是感知“安全漏洞”。

Several different surveys have confirmed that Tomcat is running at over 60% of organizations worldwide, including the largest banks. 几项不同的调查证实，Tomcat在全球超过60％的组织中运营，包括最大的银行。 As others have said, Tomcat security is not the issue. 正如其他人所说，Tomcat安全性不是问题。 What "Plain Vanilla" Tomcat lacks is the console and UI which many enterprises require for access controls, diagnostics, monitoring, alerts and provisioning. Tomcat缺少的“普通香草”是许多企业用于访问控制，诊断，监控，警报和配置所需的控制台和UI。 Check out Tcat server from MuleSoft. 从MuleSoft查看Tcat服务器。 It's 100% Tomcat (no fork), but has the enterprise capabilities for running Tomcat. 它是100％Tomcat（无分支），但具有运行Tomcat的企业功能。

I can't say whether one is better than the other as I have never used Tomcat, and you really haven't defined what your security requirements are. 我不能说一个人是否比另一个好，因为我从未使用过Tomcat，你真的没有定义你的安全要求。 Security can be a rather large beast and involve varying levels. 安全可能是一个相当大的野兽，涉及不同的水平。 So you will need well defined requirements to even determine what Security features are required. 因此，您需要明确定义的要求，甚至需要确定所需的安全功能。

We use Websphere integrated with several other IBM products to provide secure access to our application, which has been working well for us so far. 我们使用与其他几个IBM产品集成的Websphere来提供对我们的应用程序的安全访问，这对我们来说至今仍然运作良好。 You can look up Webseal and the Tivoli line of products for added security to WebSphere. 您可以查找Webseal和Tivoli产品系列，以增加WebSphere的安全性。