you can use both of them together... when I set up tomcat I always disable the HTTP connection handlers in server.xml and use JK2 to connect apache and tomcat, then I can do things like access control etc. the same as static files in apache. In terms of being protected against remote attacks, use up-to-date versions of everything (apache, tomcat, openssl, openssh, etc.) and scan your own code carefully for programming mistakes. Also read up on iptables, and if you're paranoid, look at logcheck, tripwire and bastille. And be prepared to spend most of your time poring log files.
HTH
B.
|