Tomcat is an open-source web server supported by Apache.
N/A
AWS WAF
Score 6.9 out of 10
N/A
Amazon Web Services offers AWS WAF (web application firewall) to protect web applications from malicious behavior that might impede the applications functioning and performance, with customizable rules to prevent known harmful behaviors and an API for creating and deploying web security rules.
Excellent value for companies wishing to host Java applications in the cloud. Utilizing hosting tools such as load balancers and network and application firewalls, Tomcat can be part of a powerful system to host web applications to thousands of users. There has been consistency in the development and support of Tomcat since its initial release in the late '90s and the best commonalities have been carried forward. If you host Java web applications, Tomcat is as good as any for an application server.
Well Suited: 1. To prevent DDOS attacks: AWS WAF has a lot of managed rules to prevent DDOS attacks based on traffic origination from a particular IP or IP reputation etc. 2. To rate-limit requests: Well it sounds familiar like preventing DDOS attacks, but it can also be used to rate-limit requests originating from the same IP address. We have used this feature so that we can test multiple failure scenarios for our application. 3. To prevent Data crawling: The BOT control feature allows us to prevent BOTs from crawling data on our websites. Not Suited: 1. To integrate applications outside of AWS Cloud: As I mentioned in my previous comments, this type of integration requires a custom implementation of another AWS resource.
Protect any application against the most common attacks.
Provides better visibility of web traffic.
It allows us to control the traffic in different ways in which it is enabled or blocked through the implementation of security rules developed personally according to our needs.
It is able to block common attacks such as SQL code injection.
It allows defining specific rules for applications, thus increasing web security as they are developed.
Using tomcat manager to troubleshoot is not very informative. Error messages are vague, you have to dig into log files for more information about the problems.
Is great for simple web applications, but may not work for heavy development which may require a full J2EE stack, might like JBoss better.
Security in tomcat is not straightforward, as I discovered that you have to understand how to set up realms in tomcat in order to hash passwords, which I was not overly familiar with, which is a big deal when setting up users in the tomcat-users.xml file.
AWS WAF is a bit costly if used for single applications.
they should provide attack-wise protection, like if my certain type of application is vulnerable to DDOS then I should be able to buy WAF, especially for that attack.
We have been using AWS WAF for the past 3 years in front of our websites. We find it useful in preventing data crawling, DDOS attacks, etc on our websites, and hence we are going to use it in the future as well. AWS WAF is one of the best Firewalls in business.
Tomcat has a very rich API set which allows us to implement our automation script to trigger the deployment, configure, stop and start Tomcat from the command line. In our projects, we embedded Tomcat in our Eclipse in all of the developer's machines so they could quickly verify their code with little effort, Azure Webapp has strong support for Tomcat so we could move our application to Azure cloud very easy. One drawback is Tomcat UI quite poorly features but we almost do not use it.
The product is highly scalable. It is easy to configure the rules and thereby helps us to mitigate many vulnerabilities. The interface and programming of the firewall provisions were easy to setup. Amazon clearly spent a lot of time figuring this out and perfecting it. It allows users to do customized configurations based on their needs. It provides protection against a number of security issues like XSS, SQL injection, etc. I would definitely recommend this for protecting your infra as you scale, since this basically protects and filters all requests hitting your application server.
Tomcat doesn't have a built-in watchdog that ensures restart upon failure, so you have to provide it externally. A very good solution is java service wrapper. The community edition is able to restart Tomcat upon out of memories exceptions.
Tomcat support to customize memory used and allow us to define the Connection pool and thread pool to increase system performance and availability, Tomcat server itself consume very little memory and almost no footprint. We use Tomcat in our production environment which has up to thousands of concurrent users and it is stable and provides a quick response.
If you're intending to use AWS WAF, I would say that you absolutely should sign up for support. AWS Support is excellent and they can help you in a really good way to solve your issues.
Eclipse Jetty is the best alternative for Apache Tomcat because which is also an open-source and lightweight servlet container like Tomcat. A major advantage of this over Tomcat is that Jetty server can easily be embedded with the source code of web applications. Since it requires less memory to operate, you may realize that it is very efficient.
Easy of use. Setup and configuration is fairly quick. There are the usual advantages of it being a cloud solution where you can buy into the solution, configure it and set it up and get it up and running. If you are already a subscriber to AWS, having a native service has its advantages.
Tomcat is cheap and very quick to deploy, so it has benefited much when situation needs applications to be deployed quickly without wasting time on licensing and installations.
Plenty of documentation available so no vendor training is required. Support contract is not needed as well.
Implementing this AWS service has been really favorable because when creating custom rules we give more specific protection to our applications against vulnerabilities that cause them to be consuming other resources or running with errors.
It allows us to control the traffic of our business applications, which is really favorable, given that in this way we can decide that you can access them and not.
It is extremely advantageous that we can establish rules in a centralized way since it saves time, as well as it allows us to protect several applications at the same time by reusing the rules established above.
It allows you to save time and money because we only pay for what is used.
