Page tree
Skip to end of metadata
Go to start of metadata

MidPoint is often deployed as a stand-alone server with an embedded Apache Tomcat container. It is expected that such a server will listen on ports 80 (HTTP) and 443 (HTTPS). However, those are privileged ports. Only a privileged (root) process can bind to those ports in UNIX-like environments. Therefore this can be achieved by changing midPoint configuration (application.yml file) and running midPoint as root. But that is not a good security practice  as in that case midPoint process will get too much privileges in the operating system.

The best practice for use of privileged ports in UNIX environment is to start the server process in a privileged mode, the server process binds to the ports and then drops the privileges. However, there is no platform-independent support for this in the Java platform. And we would like to avoid mixing platform-dependent components into midPoint. Therefore midPoint does not support this method.

Recommended solution is to let midPoint run on non-privileged ports and use a reverse proxy, e.g. Apache HTTP Server or NGINX. There is also an added value as those servers provide much better network robustness and network access control mechanisms than Apache Tomcat.

  • No labels