[Opensource] Réf. : RE: [Opensource] FW: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
Raul DAVIDOVICH
R.DAVIDOVICH at caconcology.com
Thu Sep 26 01:39:01 PDT 2002
I'm sorry, but you're also talking about apples and oranges.. JBoss is not
an alternative to Tomcat, but they can work together.
Tomcat is a servlet/JSP container, and JBoss is an EJB container.. this is
to say, tomcat doesn't know what to do with EJBs as JBoss doesn't know what
to do with servlets and JSPs..
Moreover, there is a JBoss bundle that comes with tomcat set up to run with
it..
JBoss is not an alternative to expresso either, but, again, they can work
together (if you really need EJBs.. otherwise, expresso's DBObjects and
controllers can make the deal)
finally, about using or not Tomcat and JBoss in a production environment...
In a big enterprise project, the cost of the application server is not very
significant, and the tools and docs that come with some commercial app
servers can improve your productivity (or decrease it.. but that's subject
for another discussion). The same goes for the RDBMS. The choice will come
from a simple question.. "Is it worth to invest on them?" the answers come
mainly from the ROI time and the load the server will take. If the ROI for
let's say Websphere + DB2 will be 10 years, and the load will be 2000
conections a day.. well, I guess it won't be the best choice, since Tomcat
+ JBoss + PostgreSQL will take that load easily, and the ROI will depend
almost exclusively on the cost for developing the app.. If the ROI will be
one year, and the load will be 10,000 conections an hour, then you wouldn't
want to save two bucks on the app server and RDBMS, since they will be
quickly mortaged, and the slight gains in performance will make you earn
money. The hardware and the tuning are also very important.. and the way
you design your EJBs and DB tables will greatly impact in performance too.
Finnally, the best choice is always the plateform in which you feel the
most comfortable working with
So what I mean by all this?
You can have the best App server and RDBMS, but you make them run in a
single processor PIII 650 with 256 MB RAM, and you must not be surprised if
performances won't be great.. if the budget is restraint, then an open
source server and RDBMS will let you use that money for buying yourself a
quadri-Xeon with 2 Gigs of RAM, and it will work great.
The same goes for the EJBs and DB tables.. if you have 20 joins between
tables, and your EJBs are very fine grained, so your app server spends 90 %
of the processor time in creating and destroying objects, you can be sure
that your app won't be lightning fast, and no Weblogic or Websphere will
help that.
hope this helps
Best regards
---------------------------------------------------
Raul Davidovich
Responsable Informatique
Cvitkovic & Associés Consultants
(33) 1 45 15 40 68
(33) 1 45 15 40 41 Fax
-------------------------------------------------------
http://www.caconcology.com
|---------+-------------------------------------->
| | "Mike Traum" |
| | <donotreplyhere at cirnetwork.|
| | xohost.com> |
| | Envoyé par : |
| | opensource-admin at jcorporate|
| | .com |
| | |
| | |
| | 25/09/2002 17:24 |
| | Veuillez répondre à |
| | opensource |
| | |
|---------+-------------------------------------->
>-----------------------------------------------------------------------------------------------------------------------------|
| |
| Pour : <opensource at jcorporate.com> |
| cc : |
| Objet : RE: [Opensource] FW: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability |
>-----------------------------------------------------------------------------------------------------------------------------|
I concur, but the servers you mention carry a hefty price tag and are used
in a large corporate environment. Our environment is low traffic and I find
Tomcat quite suitable for our needs. The only alternative that I have
considered is JBoss, which is another open source app server, also
supporting EJB's. It's newest release has been a leap and it is currently
viewed as almost a contender to the biggies without the $10,000 price tag.
You're really talking apples and oranges. I've been using Tomcat for 1 year
and am satisfied with it. If you wish to discuss further, please email me
off-list as this conversation isn't really appropriate here.
Mike
-----Original Message-----
From: opensource-admin at jcorporate.com
[mailto:opensource-admin at jcorporate.com]On Behalf Of THIRY, Jean Luc
Sent: Wednesday, September 25, 2002 1:12 AM
To: 'opensource at jcorporate.com'
Subject: RE: [Opensource] FW: [SECURITY] Apache Tomcat 4.x JSP source
disclosure vulnerability
Hi all,
If any of you are interested by this announcement, I believe that you use
Tomcat in a production environment. After reading many papers on
application
servers I would like to have an advice on the advantages and the drawbacks
on using Tomcat in such an environment.
I am about to take part of a big project for which we need to decide and to
build up the software architecture and one of the questions that remain is
about the options we could have if we do not use EJBs. In this case we
could
perhaps use a Tomcat application server. After talking about this
alternative with a few consultants and architects, they almost all
described
the Tomcat choice as a bad one...
I recently read benchmarks that showed how bad Tomcat response times where
compared to Resin, Orion ou even Weblogic. I am quite skeptical about these
results because there was little information on the test conditions and the
tunning of the app servers...
Does anyone have a clue on the subject ?
Cheers,
JLuc
-----Message d'origine-----
De : Mike Traum [mailto:mtraum at cirnetwork.org]
Envoye : mardi 24 septembre 2002 17:36
A : Expresso Mailing List (E-mail)
Objet : [Opensource] FW: [SECURITY] Apache Tomcat 4.x JSP source
disclosure vulnerability
Being that many users here run Tomcat (and I believe the 'complete' version
comes bundled with it), I figured I'd post this here in case anyone misses
it...
Mike
Remy Maucherat wrote:
More information about the Opensource
mailing list