Does a stand alone installation stops you from applying Tomcat security updates?


I'm new to JIRA and not a Tomcat person but I was told that one of the benefits of using WAR installations vs. Stand alone/installer is that if we have to deploy any Tomcat security updates, using the stand alone, it would be harder.

Working a little in the Websphere and WAR files on another application, my understanding is that it should in irrelevant. While I understand that the OS Tomcat installation vs. JIRA stand alone might place the binaries in different folders, etc. but does the stand alone really makes Tomcat updates that much harder? I figured in worst case, one would export/build a WAR file of the current JIRA, update tomcat and re-import the saved WAR file in case the Tomcat patch updated any JIRA data/binaries.



3 answers

1 accepted

0 votes
Accepted answer

Hi Anatole,

Atlassian also ships the latest Tomcat version with JIRA standalone. Since we have a JIRA version every 2 weeks, in a worst case scenario you would have a 14 days gap between a new Tomcat version and a new JIRA release. If this is a problem for you, a EAR/WAR deployment would fit better for your needs, but it's a little bit more complex than the JIRA automatic installer. Since you are already experienced with WebSphere, the process shouldn't be that hard. :)

Best regards,
Lucas Timm

we might not be able to upgrade as often but perhaps when a security patch comes along, we may take that option even if requires us additional testing of plug-ins and other functionality.But I'm not very clear from your answer and Timothy's if I have to have a WAR deployment in order to deploy Tomcat fixpacks or can I still go with Linux Installer and only update Tomcat as/when needed.
Does the Installer create special Tomcat folders that a generic Tomcat patch can't find and update OR is it that the Installer placed some JIRA files into Tomcat's folder and the patch would override it?

0 votes
Timothy Chin Community Champion Jul 30, 2013

You should be able to apply the security updates for Tomcat. The release of JIRA is built into Tomcat and you can override the libs.

While this is not a supported configuration, upgrading Tomcat for security patches never broke anything on my memory.

Hi Vitaly, I'm asuming that you are using the Installer option since the WAR option works for one of our groups and doesn't break anything but I wanted to confirm that the installer option doesn't do anything special to make Tomcat patching a burden as our team is in favor of using the Installer. thx

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,911 views 19 22
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you