Hi, 2017-05-31 13:34 GMT+03:00 Shaik, Mohammad N. < mohammad.n.sh...@accenture.com>: > > Hi Chris, > > I got the source files (.java) of the filter classes that I was looking for. > > Should we compile the source file against the servlet jar file(s) present in "[Tomcat]\lib\"
Yes. Compile them against the jar files located in Tomcat/lib. The servlet API classes will be loaded from Tomcat/lib a.k.a. common loader. More you can find here: http://tomcat.apache.org/tomcat-6.0-doc/class-loader-howto.html#Class_Loader_Definitions - Common — This class loader contains additional classes that are made visible to both Tomcat internal classes and to all web applications. - WebappX — A class loader is created for each web application that is deployed in a single Tomcat instance. > or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there are multiple JAR files in both these locations. How to locate the exact JAR file which should be used to compile source files? > > My understanding is that as long as you have your code (.class files) in any of the JAR files under "lib" folder, system would get it. You don’t need to have specific code in specific JAR file. Code from all the jar files under lib folder is considered as one big code, and based on the class invoked its corresponding code gets executed from that one big code. Please correct me if this is not right. > > Also, should we include the filters in web.xml file under "[Tomcat]\conf\" folder or under "WEB-INF" folder of my application? The web.xml located in Tomcat/conf is the "global" one. The configurations there will be applied to every web application deployed on the Tomcat instance. So if you need to apply this filter to all web apps then place the definition and configurations there. Otherwise you can provide the filter definition and configurations in the WEB-INF/web.xml for a particular web app. Regards, Violeta > > > Regards, > Mohammad > > -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: 30 May 2017 21:06 > To: users@tomcat.apache.org > Subject: Re: Security Headers Implementation in Tomcat 6.x version > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Mohammad, > > On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > > Thanks for the valuable input, that helps!! We shall go with getting > > the source package of Tomcat 7, put them in Tomcat 6 and use the > > filters of Tomcat 7 in Tomcat 6. > > > > Can you please let me know from where I can get/download the source > > package of Tomcat 7? Also can you please share the location of the > > source package in Tomcat 6 so that we can replace it with the one from > > Tomcat 7? > > The source download for Tomcat 7 is in the same place all the other downloads are. > > You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. > > Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. > > A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. > > - -chris > > > -----Original Message----- From: Christopher Schultz > > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > > users@tomcat.apache.org Subject: Re: Security Headers Implementation > > in Tomcat 6.x version > > > > Mohammad, > > > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: > >> Based on your inputs, we are thinking to put Apache httpd in front of > >> Tomcat 6 server, since our header configuration is going to be > >> static. > > > > This might not be a bad idea for a number of reasons, but it is by no > > means required. > > > > You can download the Tomcat 7 source package and use the security > > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that > > actually requires Tomcat 7 to run. > > > >> Can you please help us in identifying which version of Apache HTTP > >> Server we can use for Tomcat 6 version? Also, it will be great if you > >> can share some guidelines on how to implement Apache in front of > >> Tomcat. > > All supported versions of Apache web server work with app supported > > versions of Tomcat (as well as Tomcat 6). You have several choices for > > how to connect them together, but the most straightforward is to use > > mod_proxy_http from httpd to Tomcat. > > Tomcat behaves exactly as it did before and requires no additional > > configuration unless you are moving TLS termination from Tomcat to > > httpd. If that's the case, there are many guides on the web as well as > > on Tomcat's Presentations Page[2] that document how to do that. > > > > Hope that helps, -chris > > > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > > http://tomcat.apache.org/presentations.html > > > > --------------------------------------------------------------------- > > > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > ________________________________ > > > > This message is for the designated recipient only and may contain > > privileged, proprietary, or otherwise confidential information. If you > > have received it in error, please notify the sender immediately and > > delete the original. Any other use of the e-mail by you is prohibited. > > Where allowed by local law, electronic communications with Accenture > > and its affiliates, including e-mail and instant messaging (including > > content), may be scanned by our systems for the purposes of > > information security and assessment of internal compliance with > > Accenture policy. > > ______________________________________________________________________ > ________________ > > > > > > > www.accenture.com > > > > --------------------------------------------------------------------- > > > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJZLZFGAAoJEBzwKT+lPKRYFlEQAMWx2/ngj4vEeoQfZU4rRFlH > 1Mscn61MUFJdrVBFkVF+NR86m8clUt8Kw1MKZNGexMXcKjrIllqnVPJUQxjyvgai > bsDndUDGT/BrFtyLWg8B68mUok+X3dcv4NrhokRQ4phpKM4vADIl6bqi6Uxmp1sX > rRyjx0ZGnKTKEw2rJgAzp22OP7OURz5eyOayMNLBvCFcXBNLagC9uhuCuG39Hhjx > 9FBjDZZDuFbLpWSH65pakWwU0vhcl2D45641n5dKwEyAsOPdrdJMBrjIE/ruj6/R > pkxgawkIHTIWBdq9DoJzTZjD4opnsowlYpLwE7SrTQ7zy8YJ+9Pr2YoKZhBWsh+g > Fd0F0FprIfWV7V7hQosY/q2yFgMBHBRlnLVO3n9ZdzWW0Wl8+YZNDI0svuEBzP6T > U6YgnaUtm35XroBUyaYCA5ucjMbiY4S8ow0O7+8fHPjYmA4LDlGz5QLZdhiIsvtk > ceoHWYy5hFlRyo2PXbmHSzkpOU6AJ7naGxesjKJL5XK+VN3Bh+JdUgi6NnQOgov3 > 984q7QAMB5ngdKwfW2/96pCLvSoMptSST653bGI8eDbt8byIivZEkXuRg1P3Pk/a > ygRahHV7GxLHIZczAOoNspZxXlaDOBrgpSUZ+Yo31byBS+e4l7MRjKIDGElS51GP > E6i6GV+37TsmOyY2aObW > =OejA > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > ________________________________ > > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. > ______________________________________________________________________________________ > > www.accenture.com
