Hi;

My company recently discovered a security hole when using IIS for java server pages.

IIS doesn't have java support built into it so IIS must be coupled a java support module like jrun or tomcat. Doing so involves setting up virtual directories in IIS to the java support modules and then granting execute permissions on those directories. I am told that hackers can then exploit poor malformed url handling in IIS and these directories to hack a site. It happened to us.

Are there other web servers for windows that are java enabled through tomcat that do not have the security hole in IIS?

What is the most secure jsp/servlet enabled web server for windows 2000?

If you want to host jsp/servlets what is the most secure web server and operating system combination?

Do web servers that support jsp/servlet out of the box stay very current with the latest greatest java api's, jvms etc. etc.?

Thanks in advance

Steve

Steve,

One word : Apache.

Go download the Win32 version from www.apache.org. Apache runs much seamlessly with Tomcat than IIS, anyways. It will be much easier for you.

Apache -- the most widely used web server in the world -- does not have the security flaws that IIS does. Better yet, it allows you to configure almost all of the behavior and security of your domains... whereas IIS has a lot of 'black box' stuff that it doesn't let you control -- or makes it very difficult to do so.

And lastly -- Apache is free. Viva open source!

Best of luck to you. And sorry to hear you got burned by IIS. I think you'll find that Apache will not fail you.

Regards,

Rick