What are the security options for Internet Oriented Web servers in Java?
I need to implement a server that can be accessed publicly from the Internet The server has a very simple task:
>Accept the form from the user through HTTPS post (the actual HTML form is located on different sites) > rewrite the form post as JSON > send it to the internal server through a separate HTTPS connection and perform multi server failover > wait for the reply in JSON, including the reasons for success or error > return "303" redirection from one to the success URI or failure URI, Take the error reason as the query parameter
This server usually bears a small load, but because there is no access restriction, the server may be attacked by DOS, etc
The real problem here, however, is that security is absolutely critical to the server - the server involves a large enough number of payment transactions to make it an ideal cracking target The server is located behind the IPS, but is directly connected to the Internet, and will directly terminate the HTTPS connection from the end-user browser without any intervention, such as reverse proxy or SSL accelerator
So my question is, which Java Web server is the safest choice?
Or, if you really think these requests should not be received directly by Java, but by lighttpd or something else, you can make other suggestions But only it can meet the requirements given above
A very good answer will touch on these questions:
>Security related to OpenSSL and java encryption and alternatives (all vulnerabilities exist) > security related to Java VM functions (such as recent XML parsing vulnerabilities) > security related to HTTP header parsing of web server (almost all seem to have vulnerabilities) > security related to optional compression (zlib has vulnerabilities, mod_deflate has separate vulnerabilities in addition)
Solution
I think your main focus should be to follow best security practices and keep your software up to date, not the software you choose It is almost impossible to predict future vulnerabilities Software with many past vulnerabilities does not necessarily mean that it is less secure and may be located and repaired more frequently In this regard, you need regularly updated software, and you can easily get these updates regularly
I recommend using Tomcat and following the steps in improving Apache Tomcat security Tomcat has the advantages of universal and open source, so it has received a lot of attention and rapid repair Many attacks are aimed at things you don't even need, so disable everything you can do The web XML is configured to accept only the URL path you expect and provide errors for all other paths
It sounds like you don't need to use Apache httpd in front of the web container It is best to reduce the number of attack vectors and send web requests directly to the web container It is impossible to know which httpd or Java will find more vulnerabilities for SSL and gzip However, if you only use Java, you will at least not be open to the rest of httpd, rather than a limited set of native implementation issues for Java
Make sure Java and your web container are up to date If not, network and operating system enhancements should also be studied You may also want to view the daily scan for web vulnerabilities to learn about new threats