Databases
StackOverflow2013
Postsdbo
POWhat is a secure choice for an internet facing web server in Java?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POWhat is a secure choice for an internet facing web server in Java?
    text
    copied!<p>I need implement a server that is publicly accessible from the internet. The server has a very simple mission:</p> <ul> <li>Accept form POSTs from users over HTTPS (the actual HTML form is on a different site)</li> <li>Rewrite the form post as JSON</li> <li>Send it to an internal server over separate HTTPS connection, with multi server fail-over</li> <li>Wait for a reply in JSON, containing either success or a error reason</li> <li>Return a '303' redirection from either to a success URI or a failure URI, putting the error reason as a query parameter</li> </ul> <p>The load this server is normally subjected to is minimal, but since there are no access restrictions, the server can obviously be attacked by DOS etc.</p> <p>However, the real issue here is that security is absolutely paramount for the server - the server is involved in payment transactions with a large enough volume to make it a desirable target for cracking. The server is behind an IPS, but is otherwise directly connected to the internet and will terminate the HTTPS connections from end-user browsers directly without any intervening reverse proxies or SSL accelerators or such.</p> <p>So, my question is, which Java web server would be the safest choice for such a purpose?</p> <p>Or, alternatively, if you really think such requests should not directly be received by Java, but by lighttpd or something else, you may propose something else. But only if it can fulfill the requirements given above.</p> <hr> <p>A really nice answer would touch on these issues:</p> <ul> <li>Relevant security of OpenSSL vs. Java crypto vs. alternatives (all have had vulnerabilities)</li> <li>Relevant security of Java VM features (such as recent XML parsing vulnerability)</li> <li>Relevant security of web server's HTTP header parsing (almost all seem to have had vulnerabilities there)</li> <li>Relevant security of optional compression (zlib has had vulnerabilities and mod_deflate has had separate vulnerabilities on top of that)</li> </ul>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload