Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
On Thu, Sep 07, 2017 at 04:07:25PM +0530, Mohammad Nayeem wrote: > We have installed apace and configured mod_jk connector along with a > load-balancer for 2 tomcat servers. > > We were able to successfully start apache and we got the login page of our > application hosted on it, but the functionality is lost. For example, when > we hit login button on home page, nothing happens. Also, we tried access > some specific web page using a direct url, we ended up with an error. > > Do you have any suggestion for me so that we can achieve the exact same > functionality that we had without apache in the front? Yes: o When you say, "we ended up with an error," tell us what the error message says. It is very difficult to diagnose an unknown error. o When you say, "nothing happens," what should happen, in detail? Check Tomcat's log files for the time at which nothing happened. Check your applications log files for that time. If the logs say nothing about the operation, then it's time to insert more logging in your application code, or attach a debugger and step through the code, to see what it is doing. o Your browser may have developer tools that can show you requests and responses, which may help you to determine what is happening. I like a Firefox add-on called Firebug, if you need a suggestion. o In general, if we are to help, we need a lot more detail than "it doesn't work." Too much information is better than too little. o My recollection is that this list does not forward attachments. If the evidence is too large to simply copy into an email body, you could post it on something like Pastebin or Github Gist and refer to the URL in your messages. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hello Olaf, We have tried yours as well as Chris's suggestions, but in both the cases the functionality of the application is lost. We have installed apace and configured mod_jk connector along with a load-balancer for 2 tomcat servers. We were able to successfully start apache and we got the login page of our application hosted on it, but the functionality is lost. For example, when we hit login button on home page, nothing happens. Also, we tried access some specific web page using a direct url, we ended up with an error. Do you have any suggestion for me so that we can achieve the exact same functionality that we had without apache in the front? Regards, Mohammad Nayeem -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat Users List <users@tomcat.apache.org> Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: > Hello Olaf, > > Thanks for your response! > > Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 server, since our header configuration is going to be static. > > Can you please help us in identifying which version of Apache HTTP Server we can use for Tomcat 6 version? Also, it will be great if you can share some guidelines on how to implement Apache in front of Tomcat. For completeness sake I'd like to answer a few of these questions, rather briefly. It seems that you're deep into implementing Christopher's solution of compiling the newer filters for Tomcat 6. Every current Apache httpd is fine, no version restriction. Especially: Choose one that will get updates for quite a while, not like the outdated Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the connection between Apache and tomcat. Once you've set this up, setting the headers is a matter of adding the "Header" directive to httpd's configuration. I understand though, that setting up the connection can be some task if you've never done that. Especially if you're using https, and also refer to it in your webapp's code (e.g. to validate client certs) - but as you give no clue you're doing that, I'm assuming you don't and the setup would be easy. Anyway, feel free to utilize the newer code - I just wanted this information to be in this thread as well. However, once you're done with it: Utilize even more newer code and prepare to migrate away from your discontinued tomcat version. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Chris, We currently have 7.0.42 version which does not support security headers, so we have taken jar files from 7.0.63 and replaced with the those in 7.0.42 library folder. We were able to successfully start our tomcat instance and we got the login page of our application hosted on it, but the functionality is lost. For example, when we hit login button on home page, nothing happens. Also, we tried access some specific web page using a direct url, we ended up with an error. Do you have any suggestion for me so that we can achieve the exact same functionality using libraries of 7.0.63? For your information, I have tried using more latest versions like Tomcat 8, but no luck. Regards, Mohammad Nayeem -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 01 June 2017 19:59 To: users@tomcat.apache.org Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote: > What should be name of the new JAR file that I would create for the > Filter classes? It doesn't matter. > There are multiple JAR files in lib folder. Does the name of these JAR > files have any significance? Not really. > My understanding is that as long as you have your code (.class > files) is present in any of the JAR files under "lib" folder, system > would get it. You don’t need to have a specific-named JAR files having > specific-named .class files. The .class files from all the jar files > under lib folder is considered as one big collection, and based on the > invoked classname its corresponding .class file gets executed from > that big code. Multiple JAR files with different names is setup just > for logical classification of classes. Please correct me if this is > not right. You are correct. There are problems if the same class exists in two separate JAR files, but that should not be a problem in the standard Tomcat installation, plus the JAR file that has a few (unique) classes from Tomcat 7 in there. Remember: Upgrade ASAP. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net <ch...@christopherschultz.net>] Sent: 31 May 2017 23:52 To: > users@tomcat.apache.org Subject: [External] Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: >> Can I simply use the JAR files from Tomcat 7 that contains executable >> code of filter classes (security headers), and put them into >> corresponding location in Tomcat 6? > > Definitely don't do that. But you could probably grab the compiled > .class files from Tomcat 7's binary distribution... just make sure you > have all of them. > > So, basically, create a new JAR file that contains only those Filter > classes (don't forget any inner classes that might be found in > separate .class files). > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you > have received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is prohibited. > Where allowed by local law, electronic communications with Accenture > and its affiliates, including e-mail and instant messaging (including > content), may be scanned by our systems for the purposes of > information security and assessment of internal compliance with > Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi 3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo /28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhd
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
Ghgfhch Dygugjfbjg Envoyé de mon smartphone BlackBerry 10. Message d'origine De: Christopher Schultz Envoyé: jeudi 8 juin 2017 18:43 À: users@tomcat.apache.org Répondre à: Tomcat Users List Objet: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shaik, On 6/8/17 1:18 AM, Shaik, Mohammad N. wrote: > Hi Olaf & Chris, > > By placing HTTPD 2.x server in front of Tomcat 6, is it possible to > hide Tomcat 6 from external world? I just don’t want people to find > out that I am using Tomcat 6, instead I want them to know that I am > using httpd 2.x server. Is this possible? > > I just need Apache HTTPD server to take care of headers and let > Tomcat do rest of the stuff (which it is already doing in my case). > Do I still need to configure anything other than headers in my > case? Not really. If you configure httpd -> Tomcat, then you can firewall-out everyone from your Tomcat server except the server running httpd. By default, httpd will return its own "Server" header so you don't even need to try to mask Tomcat's existence that way. - -chris > -Original Message- From: Olaf Kock > [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat > Users List <users@tomcat.apache.org> Subject: [External] Re: > Security Headers Implementation in Tomcat 6.x version > > Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: >> Hello Olaf, >> >> Thanks for your response! >> >> Based on your inputs, we are thinking to put Apache httpd in >> front of Tomcat 6 server, since our header configuration is going >> to be static. >> >> Can you please help us in identifying which version of Apache >> HTTP Server we can use for Tomcat 6 version? Also, it will be >> great if you can share some guidelines on how to implement Apache >> in front of Tomcat. > > For completeness sake I'd like to answer a few of these questions, > rather briefly. It seems that you're deep into implementing > Christopher's solution of compiling the newer filters for Tomcat > 6. > > Every current Apache httpd is fine, no version restriction. > Especially: Choose one that will get updates for quite a while, not > like the outdated Tomcat version you're running. Read on mod_proxy, > mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on > the connection between Apache and tomcat. Once you've set this up, > setting the headers is a matter of adding the "Header" directive to > httpd's configuration. I understand though, that setting up the > connection can be some task if you've never done that. Especially > if you're using https, and also refer to it in your webapp's code > (e.g. to validate client certs) - but as you give no clue you're > doing that, I'm assuming you don't and the setup would be easy. > > Anyway, feel free to utilize the newer code - I just wanted this > information to be in this thread as well. However, once you're done > with it: Utilize even more newer code and prepare to migrate away > from your discontinued tomcat version. > > Olaf > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If > you have received it in error, please notify the sender immediately > and delete the original. Any other use of the e-mail by you is > prohibited. Where allowed by local law, electronic communications > with Accenture and its affiliates, including e-mail and instant > messaging (including content), may be scanned by our systems for > the purposes of information security and assessment of internal > compliance with Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZOZqoAAoJEBzwKT+lPKRYVBAP/RotI8+S6dbEVYxNNJtwIoLT LzoBCrxF/VWva8CUqGNrWJNdjy4IUuwiB00zGYZpyXmvIVAjG8H+fq+pocYVTSLz 1q6ZiqLuw3yj2xottS2fBY3lQC3hQawGjP9IX+Y3/qq9lgGNificZ7ok2iBBhlrZ CiwiQSVuvpboawxYKl62kXB6c2pprzGqRZ1l6I+pcir/mMHJ6W0fYXrdxgEk8M9d aY7W0YRugVsCbuAHqpQ+1Jr2jv3+Wme1LknTV9+ixmbHnu0UecoI
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shaik, On 6/8/17 1:18 AM, Shaik, Mohammad N. wrote: > Hi Olaf & Chris, > > By placing HTTPD 2.x server in front of Tomcat 6, is it possible to > hide Tomcat 6 from external world? I just don’t want people to find > out that I am using Tomcat 6, instead I want them to know that I am > using httpd 2.x server. Is this possible? > > I just need Apache HTTPD server to take care of headers and let > Tomcat do rest of the stuff (which it is already doing in my case). > Do I still need to configure anything other than headers in my > case? Not really. If you configure httpd -> Tomcat, then you can firewall-out everyone from your Tomcat server except the server running httpd. By default, httpd will return its own "Server" header so you don't even need to try to mask Tomcat's existence that way. - -chris > -Original Message- From: Olaf Kock > [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat > Users List <users@tomcat.apache.org> Subject: [External] Re: > Security Headers Implementation in Tomcat 6.x version > > Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: >> Hello Olaf, >> >> Thanks for your response! >> >> Based on your inputs, we are thinking to put Apache httpd in >> front of Tomcat 6 server, since our header configuration is going >> to be static. >> >> Can you please help us in identifying which version of Apache >> HTTP Server we can use for Tomcat 6 version? Also, it will be >> great if you can share some guidelines on how to implement Apache >> in front of Tomcat. > > For completeness sake I'd like to answer a few of these questions, > rather briefly. It seems that you're deep into implementing > Christopher's solution of compiling the newer filters for Tomcat > 6. > > Every current Apache httpd is fine, no version restriction. > Especially: Choose one that will get updates for quite a while, not > like the outdated Tomcat version you're running. Read on mod_proxy, > mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on > the connection between Apache and tomcat. Once you've set this up, > setting the headers is a matter of adding the "Header" directive to > httpd's configuration. I understand though, that setting up the > connection can be some task if you've never done that. Especially > if you're using https, and also refer to it in your webapp's code > (e.g. to validate client certs) - but as you give no clue you're > doing that, I'm assuming you don't and the setup would be easy. > > Anyway, feel free to utilize the newer code - I just wanted this > information to be in this thread as well. However, once you're done > with it: Utilize even more newer code and prepare to migrate away > from your discontinued tomcat version. > > Olaf > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If > you have received it in error, please notify the sender immediately > and delete the original. Any other use of the e-mail by you is > prohibited. Where allowed by local law, electronic communications > with Accenture and its affiliates, including e-mail and instant > messaging (including content), may be scanned by our systems for > the purposes of information security and assessment of internal > compliance with Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZOZqoAAoJEBzwKT+lPKRYVBAP/RotI8+S6dbEVYxNNJtwIoLT LzoBCrxF/VWva8CUqGNrWJNdjy4IUuwiB00zGYZpyXmvIVAjG8H+fq+pocYVTSLz 1q6ZiqLuw3yj2xottS2fBY3lQC3hQawGjP9IX+Y3/qq9lgGNificZ7ok2iBBhlrZ CiwiQSVuvpboawxYKl62kXB6c2pprzGqRZ1l6I+pcir/mMHJ6W0fYXrdxgEk8M9d aY7W0YRugVsCbuAHqpQ+1Jr2jv3+Wme1LknTV9+ixmbHnu0UecoIhseWywDanrQD 1if8Rh/TtuT31wWKu7nn48llofjzmWwNRVjaFeNY9u/zjMkimcQ2B+shSuq81M5H BxcvutplbYhGWED2AS/G/OviNbC+JJiaDXgE+mrH31kNfH9WXS5DH+RZO0q1kxmy gXrBQ4M+XoZgloQQ4Y9kSRfEBeEccr3axtdo7FwpqJjCesLFSfCkUZgGHhOFuGAx JGG4zIu2JLAsNVXu76KSX7JNPvnWoqrYzmrV5uweDU3xf3Mls2A2LuxEOTe5ANOg jDVH6K6UbkplWHv
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Olaf & Chris, By placing HTTPD 2.x server in front of Tomcat 6, is it possible to hide Tomcat 6 from external world? I just don’t want people to find out that I am using Tomcat 6, instead I want them to know that I am using httpd 2.x server. Is this possible? I just need Apache HTTPD server to take care of headers and let Tomcat do rest of the stuff (which it is already doing in my case). Do I still need to configure anything other than headers in my case? Regards, Mohammad -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat Users List <users@tomcat.apache.org> Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: > Hello Olaf, > > Thanks for your response! > > Based on your inputs, we are thinking to put Apache httpd in front of Tomcat > 6 server, since our header configuration is going to be static. > > Can you please help us in identifying which version of Apache HTTP Server we > can use for Tomcat 6 version? Also, it will be great if you can share some > guidelines on how to implement Apache in front of Tomcat. For completeness sake I'd like to answer a few of these questions, rather briefly. It seems that you're deep into implementing Christopher's solution of compiling the newer filters for Tomcat 6. Every current Apache httpd is fine, no version restriction. Especially: Choose one that will get updates for quite a while, not like the outdated Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the connection between Apache and tomcat. Once you've set this up, setting the headers is a matter of adding the "Header" directive to httpd's configuration. I understand though, that setting up the connection can be some task if you've never done that. Especially if you're using https, and also refer to it in your webapp's code (e.g. to validate client certs) - but as you give no clue you're doing that, I'm assuming you don't and the setup would be easy. Anyway, feel free to utilize the newer code - I just wanted this information to be in this thread as well. However, once you're done with it: Utilize even more newer code and prepare to migrate away from your discontinued tomcat version. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
Am 02.06.2017 um 07:43 schrieb Shaik, Mohammad N.: > Hi Chris, > > My actual requirement was to implement 7 HTTP headers, out of > which 4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers (Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not addressed in any of the filters available in Tomcat 7, 8 & 9 versions. > > Is there any way that we implement these 3 headers in Tomcat? Sure. Look at the implementation for the 4 headers you found. Add three more, recompile. Alternatively, add another filter just for your 3 headers. As you're creating a solution for you exclusively, you may even completely hard code the values and conditions you need. There's no need for configuration or making it "ready for prime time" as nobody else will use this code under different circumstances. Or write your own servlet filter for the webapps you deploy (no need to go app-server side when the webapps do what's required themselves). In those servlet filters, set those headers under conditions that you determine yourself. Or (again, sorry) utilize httpd's mod_headers. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Chris, My actual requirement was to implement 7 HTTP headers, out of which 4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers (Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not addressed in any of the filters available in Tomcat 7, 8 & 9 versions. Is there any way that we implement these 3 headers in Tomcat? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 01 June 2017 19:59 To: users@tomcat.apache.org Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote: > What should be name of the new JAR file that I would create for the > Filter classes? It doesn't matter. > There are multiple JAR files in lib folder. Does the name of these JAR > files have any significance? Not really. > My understanding is that as long as you have your code (.class > files) is present in any of the JAR files under "lib" folder, system > would get it. You don’t need to have a specific-named JAR files having > specific-named .class files. The .class files from all the jar files > under lib folder is considered as one big collection, and based on the > invoked classname its corresponding .class file gets executed from > that big code. Multiple JAR files with different names is setup just > for logical classification of classes. Please correct me if this is > not right. You are correct. There are problems if the same class exists in two separate JAR files, but that should not be a problem in the standard Tomcat installation, plus the JAR file that has a few (unique) classes from Tomcat 7 in there. Remember: Upgrade ASAP. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To: > users@tomcat.apache.org Subject: [External] Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: >> Can I simply use the JAR files from Tomcat 7 that contains executable >> code of filter classes (security headers), and put them into >> corresponding location in Tomcat 6? > > Definitely don't do that. But you could probably grab the compiled > .class files from Tomcat 7's binary distribution... just make sure you > have all of them. > > So, basically, create a new JAR file that contains only those Filter > classes (don't forget any inner classes that might be found in > separate .class files). > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you > have received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is prohibited. > Where allowed by local law, electronic communications with Accenture > and its affiliates, including e-mail and instant messaging (including > content), may be scanned by our systems for the purposes of > information security and assessment of internal compliance with > Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi 3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo /28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET 0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE /XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS HGUlc2U0LgTmSYLe+vj6 =oY0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional comm
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote: > What should be name of the new JAR file that I would create for > the Filter classes? It doesn't matter. > There are multiple JAR files in lib folder. Does the name of these > JAR files have any significance? Not really. > My understanding is that as long as you have your code (.class > files) is present in any of the JAR files under "lib" folder, > system would get it. You don’t need to have a specific-named JAR > files having specific-named .class files. The .class files from all > the jar files under lib folder is considered as one big collection, > and based on the invoked classname its corresponding .class file > gets executed from that big code. Multiple JAR files with different > names is setup just for logical classification of classes. Please > correct me if this is not right. You are correct. There are problems if the same class exists in two separate JAR files, but that should not be a problem in the standard Tomcat installation, plus the JAR file that has a few (unique) classes from Tomcat 7 in there. Remember: Upgrade ASAP. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To: > users@tomcat.apache.org Subject: [External] Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: >> Can I simply use the JAR files from Tomcat 7 that contains >> executable code of filter classes (security headers), and put >> them into corresponding location in Tomcat 6? > > Definitely don't do that. But you could probably grab the compiled > .class files from Tomcat 7's binary distribution... just make sure > you have all of them. > > So, basically, create a new JAR file that contains only those > Filter classes (don't forget any inner classes that might be found > in separate .class files). > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If > you have received it in error, please notify the sender immediately > and delete the original. Any other use of the e-mail by you is > prohibited. Where allowed by local law, electronic communications > with Accenture and its affiliates, including e-mail and instant > messaging (including content), may be scanned by our systems for > the purposes of information security and assessment of internal > compliance with Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi 3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo /28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET 0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE /XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS HGUlc2U0LgTmSYLe+vj6 =oY0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Chris, What should be name of the new JAR file that I would create for the Filter classes? There are multiple JAR files in lib folder. Does the name of these JAR files have any significance? My understanding is that as long as you have your code (.class files) is present in any of the JAR files under "lib" folder, system would get it. You don’t need to have a specific-named JAR files having specific-named .class files. The .class files from all the jar files under lib folder is considered as one big collection, and based on the invoked classname its corresponding .class file gets executed from that big code. Multiple JAR files with different names is setup just for logical classification of classes. Please correct me if this is not right. - Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To: users@tomcat.apache.org Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: > Can I simply use the JAR files from Tomcat 7 that contains executable > code of filter classes (security headers), and put them into > corresponding location in Tomcat 6? Definitely don't do that. But you could probably grab the compiled .class files from Tomcat 7's binary distribution... just make sure you have all of them. So, basically, create a new JAR file that contains only those Filter classes (don't forget any inner classes that might be found in separate .class files). - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5 T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3 AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv mD63/FtqNHglnYULpUTS =jN8f -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com