Ok, thank you.
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are
not the addressee or authorized to receive this for the addressee, you must not
use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you for
your cooperation.
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Thursday, April 27, 2023 10:16 AM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: OT: hsts in Tomcat 9.0.73
>
> Jon,
>
> On 4/26/23 13:04, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Qualsys only checks ROOT (/), as it's the only context it could
> > possibly know about. The team does have a ROOT webapps which is
> > different from the one supplied with Tomcat.
> Understood. I thought your main application was ROOT. It's not super
> important. Just use the "dummy ROOT" for this purpose. I think it's easier to
> modifying the base Tomcat install every time you upgrade.
>
> > Can you show me where in the application web.xml to specify the
> > headers? I'm not that familiar with things at that level, just at the
> > server level.
> It should be the same as what you put into conf/web.xml: just define the
> <filter> and add <filter-mapping>/*</filter-mapping>.
>
> -chris
>
> >> -----Original Message-----
> >> From: Christopher Schultz <ch...@christopherschultz.net>
> >> Sent: Tuesday, April 25, 2023 4:40 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: OT: hsts in Tomcat 9.0.73
> >>
> >> Jon,
> >>
> >> On 4/25/23 13:26, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> <Connector port="8443" keystorePass="REMOVED"
> >> keystoreFile="REMOVED"
> >>>
> >>
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_
> >>
> WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> >>
> ,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_
> >>
> 128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_R
> >>
> SA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SH
> >>
> A,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_12
> >>
> 8_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WIT
> >>
> H_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WI
> >>
> TH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA
> >>
> _WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA
> >> _WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
> >>>
> >>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementa
> >> ti
> >> on"
> >>> sslEnabledProtocols=" TLSv1.2" sslProtocol="TLS" clientAuth="false"
> >>> secure="true" scheme="https" SSLEnabled="true" maxThreads="150"
> >>> protocol="org.apache.coyote.http11.Http11NioProtocol"/>
> >> Here is the code for the HSTS part of the Filter:
> >>
> >> // HSTS
> >> if (hstsEnabled && request.isSecure()) {
> >> httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue);
> >> }
> >>
> >> I was wondering if maybe secure="true" wasn't there, but you have it.
> >>
> >> :hmm:
> >>
> >> What's the name of application artifact? Like the WAR file or
> >> WAR-directoery in webapps/ ? Are you deploying it multiple times --
> >> say, from both auto- deployment *and also* with a <Context> in
> conf/server.xml?
> >>
> >> Your copy/paste of web.xml has a bunch of leading - symbols before
> >> each of the <open-elements> e.g.:
> >>
> >> -<filter>
> >> <filter-name>httpHeaderSecurity</filter-name>
> >>
> >> Is that just an artifact from the XML editor/viewer you are using?
> >>
> >> I can see these headers which should also be coming from the
> >> HttpHeaderSecurityFilter:
> >>
> >>> X-Content-Type-Options nosniff
> >>> X-Frame-Options SAMEORIGIN
> >>> X-XSS-Protection 1
> >>
> >> (Although the documentation suggests that the value for
> >> X-XSS-Protection should be "1; mode=block" and it isn't in the above
> >> header value.)
> >>
> >> Are you able to change the configuration and/or add some code/config?
> >>
> >> -chris
> >>
> >>>> -----Original Message-----
> >>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>> Sent: Tuesday, April 25, 2023 10:04 AM
> >>>> To: users@tomcat.apache.org
> >>>> Subject: Re: OT: hsts in Tomcat 9.0.73
> >>>>
> >>>> Jon,
> >>>>
> >>>> On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>>> It's the Server level web.xml in conf
> >>>>
> >>>> So it applies to all web applications.
> >>>>
> >>>> I would recommend that you change that configuration to:
> >>>>
> >>>> 1. Be present in your own web application's WEB-INF/web.xml file and
> 2.
> >>>> Deploy a ROOT application which has only a few things in it and 3.
> >>>> Be present in webapps/ROOT/WEB-INF/web.xml
> >>>>
> >>>> Having a missing ROOT application can cause a few weird things to
> >> happen.
> >>>> Having the ROOT means that you can always return e.g. a 404
> >>>> response even if there is no application deployed on /foo just in case.
> >>>> (This may have changed in the past few years, it used to be that a
> >>>> request for /foo would return 400 or something similar instead of 404).
> >>>>
> >>>> It also means that your Tomcat installation doesn't have to be
> >>>> re-customized any time you upgrade it: just deploy your dummy-ROOT
> >>>> and your own application and you are all good.
> >>>>
> >>>> What does your <Connector> look like for port 8443?
> >>>>
> >>>> -chris
> >>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
> >>>>>> Sent: Tuesday, April 25, 2023 9:15 AM
> >>>>>> To: users@tomcat.apache.org
> >>>>>> Subject: Re: OT: hsts in Tomcat 9.0.73
> >>>>>>
> >>>>>> Jon,
> >>>>>>
> >>>>>> On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>>>>> Hellow again.
> >>>>>>>
> >>>>>>> I hae another app team that is getting hit with a QID 11827
> >>>>>>> stating that the
> >>>>>> hsts Security header is missing. We have reviewed the web.xml and
> >>>>>> the appropriate section and filter are present. hstsEnabled is
> >>>>>> set to
> >> true.
> >>>>>> Performing a curl aganst the site does NOT show the hsts STRICT
> >> header.
> >>>>>>>
> >>>>>>> WEB.XML
> >>>>>>
> >>>>>> Which web.xml? And is the filename really capitalized?
> >>>>>>
> >>>>>> -chris
> >>>>>>
> >>>>>> -----------------------------------------------------------------
> >>>>>> --
> >>>>>> -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------
> >>>>> --
> >>>>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>>
> >>>>
> >>>> -------------------------------------------------------------------
> >>>> -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>
> >>>
> >>> --------------------------------------------------------------------
> >>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
