EFES/Jetty security hardening

[Irene Vagionakis]

Dear all,

while in the process of setting up EFES for MedCyprus project on a server of the University of Cyprus, their IT people asked me the following question, which I turn over to you: has EFES/Jetty been security hardened?

Thank you for any help on this!

Irene

[Jamie Norrish]

On Wed, 2022-02-09 at 12:18 -0800, Irene Vagionakis wrote:

> while in the process of setting up EFES for MedCyprus project on a
> server of the University of Cyprus, their IT people asked me the
> following question, which I turn over to you: has EFES/Jetty been
> security hardened?

No, it hasn't. Or at least, it is not configured differently from the
base install.

However, as per the documentation, EFES shouldn't be run with the
built-in Jetty except locally - in part precisely because configuring
it to be suitable for a specific non-local use is not something we can
do.

Jamie

[Irene Vagionakis]

Ok, thanks. So, in the production stage it would be more secure to use Tomcat as suggested...

[Jamie Norrish]

On Wed, 2022-02-09 at 23:00 -0800, Irene Vagionakis wrote:

> Ok, thanks. So, in the production stage it would be more secure to
> use Tomcat as suggested...

Sure - really, whatever approach and software is used, Jetty or Tomcat
or something else, it will need to be configured for the environment it
is being used in. I believe that recent versions of Jetty are suitable
(when properly configured) for use in production situations, just as
Tomcat is.

Hope this helps!

Jamie

[Irene Vagionakis]

Thank you!