From: Dain <da...@da...> - 2002-11-20 23:21:45
|
On Wednesday, November 20, 2002, at 03:58 PM, Randy Shoup wrote: > Dain wrote: >> There is no reason you have to separate the web container from the >> EJB container. The only reason this ever came up in J2EE is the >> other vendors charge so much for a CPU license you wanted to maximize >> the CMP utilization of the EJB boxes. >> The only good reasons I have heard is security. For security I don't >> believe that you can get the same benefit by using a proxy process in >> front. >> > Just out of curiosity, why would it be less secure to use a > reverse-proxy? You ought to be able to put the reverse-proxy in the > DMZ, and the J2EE container (with web + EJB components) behind the > internal firewall. Now there is no application code of any kind in > the DMZ (so there is nothing to lose if this machine is compromised), > and you only have to open the single HTTP port to the backend machine. > > (I realize I am asking you to explain a position you don't believe, > but I am curious what you have heard :-) I' am dumb ass today. That was a typo. It should have read: "For security I *DO* believe that you can get the same benefit by using a proxy process in front." I can explain my reasons for believing that if you want, but I think you already agree with me. -dain |