Security of Tomcat versus WebSphere versus WebLogic

Question

The company I work for sells a J2EE application that runs on Tomcat, WebSphere, or WebLogic. We have a customer that is trying to decide between Tomcat and WebSphere. They're leaning towards WebSphere because they're concerned that Tomcat has more security holes.

After searching around on the web, I've been unable to find any sites or studies that compare the robustness of the major J2EE application servers from a security standpoint.

Can any of you point me to information comparing app server security holes?

Answer 1

In my experience, WebSphere isn't adding anything that isn't spec (and thus somewhat supported on Tomcat). The problem comes when trying to do some more complex security tricks (admin authentication using SecureID or something) you need to dig much deeper. WebSphere tries to put more of that in the UI Console.

That being said, your company should look at testing on Glassfish. It uses Tomcat as it's servlet container, but adds a much better UI for management.

Answer 2

According to this article, WebSphere community addition is no different than Tomcat 5.5 in terms of the servlet engine. In my opinion, this decision should be based on overall features needed rather than perceived "security holes".

Answer 3

I can't say whether one is better than the other as I have never used Tomcat, and you really haven't defined what your security requirements are. Security can be a rather large beast and involve varying levels. So you will need well defined requirements to even determine what Security features are required.

We use Websphere integrated with several other IBM products to provide secure access to our application, which has been working well for us so far. You can look up Webseal and the Tivoli line of products for added security to WebSphere.

Answer 4

I'd say use tomcat over WebSphere if at all possible.

I think 99% of security is how you set it all up.

Are you also evaluating the security implications of Apache HTTP Server, IBM HTTP Server, and IIS?

Security involves so much more than just what application server you choose to run your webapp on.

Tomcat security report

Websphere security report (You have to dig into each update to see what was fixed)

Answer 5

It's interesting that your client is "concerned that Tomcat has more security holes." I wonder if they could list what those holes are? If they can't, it's hearsay and FUD.

I would say that all web servers/servlet engines suffer from the same issues. It's the applications that are deployed on them that represent the real security holes. Cross-site scripting, SQL injection, lack of input validation, exposure of sensitive data due to poor layering and practices - these are all application issues that will be problems regardless of which app server you choose.

My personal opinion is that WebLogic is the best Java EE app server on the market. I don't have first-hand experience with WebSphere, but people that I respect who have tell me that it's a horror show. I've only used Tomcat for local development. It's never failed me, but that's hardly production experience. I have no idea how it scales.

I'd think carefully about Spring's dm Server, based on Tomcat, Spring, and OSGi. I have a feeling that it represents a future direction that all its competitors will be taking.