Jean-Francois Arcand, a Tomcat 5 developer has recently been interviewed by TheServerSide.. It is very interesting, overall, but there were several things that seemed strange to me.\r
\r
I have not used “embedded” feature of Tomcat but the impression, from the interview, is that this just means there is an interface which allows you to control Tomcat from your application.\r
\r
“Embedded” in the case of Jetty means much more - embedded Jetty is just one JAR and you can use it as one JAR; it is very small, in size, so you can really embed it into your application, without much overhead.\r
\r
So, unless I misunderstood something, for the embedding (e.g. for testing purposes, using as a Stub) Jetty, still, seems much more convenient.\r
\r
On the same subject, for me personally, it was alerting to hear that Jean-Francois has no idea about the embedding features in Jetty. That may not mean much but is odd. People who have tendency towards the re-invention of the wheel, do not usually invent good wheels. If you begin work on embedding feature and there is a product that has that figured-out, why would not you go and see how they did it? Maybe you won\‘t do it the same way (most probably not) but at least - you should look into it, should not you?\r
\r
Also:\r
\r
I was really surprised by one comment from the interview. The question was if people should use Apache in front of Tomcat or run it as-is. Jean-Francois made it sound like it is just a matter of performance and almost suggested that Tomcat without Apache is just as good.\r
\r
NOT TRUE.\r
\r
Yes, Tomcat has gone long way in performance but that just proves the point that: putting Apache in front of Tomcat is not a matter of performance (performance may be the same) but _security_.\r
\r
To make Tomcat listen to port 80 you will need to launch it under root user, which means your application code will also run under root. That\’s _evil_. User applications should never run with root privileges.\r
\r
When you put Apache in front of Tomcat (or any other servlet engine/J2EE container, for that matter) your application can run under an non-privileged user. That\’s much more secure.