What is a secure choice for an internet facing web server in Java?

Question

I need implement a server that is publicly accessible from the internet. The server has a very simple mission:

• Accept form POSTs from users over HTTPS (the actual HTML form is on a different site)
• Rewrite the form post as JSON
• Send it to an internal server over separate HTTPS connection, with multi server fail-over
• Wait for a reply in JSON, containing either success or a error reason
• Return a '303' redirection from either to a success URI or a failure URI, putting the error reason as a query parameter

The load this server is normally subjected to is minimal, but since there are no access restrictions, the server can obviously be attacked by DOS etc.

However, the real issue here is that security is absolutely paramount for the server - the server is involved in payment transactions with a large enough volume to make it a desirable target for cracking. The server is behind an IPS, but is otherwise directly connected to the internet and will terminate the HTTPS connections from end-user browsers directly without any intervening reverse proxies or SSL accelerators or such.

So, my question is, which Java web server would be the safest choice for such a purpose?

Or, alternatively, if you really think such requests should not directly be received by Java, but by lighttpd or something else, you may propose something else. But only if it can fulfill the requirements given above.

---

A really nice answer would touch on these issues:

• Relevant security of OpenSSL vs. Java crypto vs. alternatives (all have had vulnerabilities)
• Relevant security of Java VM features (such as recent XML parsing vulnerability)
• Relevant security of web server's HTTP header parsing (almost all seem to have had vulnerabilities there)
• Relevant security of optional compression (zlib has had vulnerabilities and mod_deflate has had separate vulnerabilities on top of that)

Answer 1

I'd argue that your main concern should be following best security practices and keeping your software up to date than specifically which software you choose. It's just about impossible to predict future vulnerabilities. And software with a lot of past vulnerabilities doesn't necessarily mean it was less secure, likely it was targeted more often and thus fixed more often. In that regard you want software that is regularly updated and you have an easy way to routinely get those updates.

I'd suggest Tomcat and follow the steps from Improving Apache Tomcat Security. Tomcat has the benefit of being common and open source, so it gets a lot of attention and quick fixes. Many attacks are against things you don't even need, so disable everything you can. Configure your web.xml to only accept URL paths you expect and give an error for everything else.

It doesn't sound like you need Apache HTTPD in front of the web container. It's probably best then to reduce the number of attack vectors and have web requests go directly to the web container. It's not possible to know which of HTTPD or Java are going to have more vulnerabilities discovered for SSL and gzip. Yet if you use only Java then you're at least not open to the rest of what might be found for HTTPD, versus a limited set of native implementation concerns for Java.

Make sure Java and your web container are kept up to date. Network and OS hardening should be researched too, if they haven't been. You might also want to look into daily scanning for web vulnerabilities to stay on top of new threats.

Answer 2

If you need something simple and single-purpose, I would give a try to Grizzly - less code, less bugs. It has some SSLConfig class to setup HTTPS, altough I have not used it.