Security of Tomcat versus WebSphere versus WebLogic

Question

The company I work for sells a J2EE application that runs on Tomcat, WebSphere, or WebLogic. We have a customer that is trying to decide between Tomcat and WebSphere. They're leaning towards WebSphere because they're concerned that Tomcat has more security holes.

After searching around on the web, I've been unable to find any sites or studies that compare the robustness of the major J2EE application servers from a security standpoint.

Can any of you point me to information comparing app server security holes?

Answer 1

It's interesting that your client is "concerned that Tomcat has more security holes." I wonder if they could list what those holes are? If they can't, it's hearsay and FUD.

I would say that all web servers/servlet engines suffer from the same issues. It's the applications that are deployed on them that represent the real security holes. Cross-site scripting, SQL injection, lack of input validation, exposure of sensitive data due to poor layering and practices - these are all application issues that will be problems regardless of which app server you choose.

My personal opinion is that WebLogic is the best Java EE app server on the market. I don't have first-hand experience with WebSphere, but people that I respect who have tell me that it's a horror show. I've only used Tomcat for local development. It's never failed me, but that's hardly production experience. I have no idea how it scales.

I'd think carefully about Spring's dm Server, based on Tomcat, Spring, and OSGi. I have a feeling that it represents a future direction that all its competitors will be taking.