RE: OT: hsts in Tomcat 9.0.73

[jonmcalexander]

Qualsys only checks ROOT (/), as it's the only context it could possibly know 
about. The team does have a ROOT webapps which is different from the one 
supplied with Tomcat. 

Can you show me where in the application web.xml to specify the headers? I'm 
not that familiar with things at that level, just at the server level.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, April 25, 2023 4:40 PM
> To: users@tomcat.apache.org
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> Jon,
> 
> On 4/25/23 13:26, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >  keystoreFile="REMOVED"
> >
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_
> WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> ,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_
> 128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_R
> SA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SH
> A,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_12
> 8_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WIT
> H_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WI
> TH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA
> _WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA
> _WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
> >
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementati
> on"
> > sslEnabledProtocols=" TLSv1.2" sslProtocol="TLS" clientAuth="false"
> > secure="true" scheme="https" SSLEnabled="true" maxThreads="150"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"/>
> Here is the code for the HSTS part of the Filter:
> 
>  // HSTS
>  if (hstsEnabled && request.isSecure()) {
>  httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue);
>  }
> 
> I was wondering if maybe secure="true" wasn't there, but you have it.
> 
> :hmm:
> 
> What's the name of application artifact? Like the WAR file or WAR-directoery
> in webapps/ ? Are you deploying it multiple times -- say, from both auto-
> deployment *and also* with a  in conf/server.xml?
> 
> Your copy/paste of web.xml has a bunch of leading - symbols before each of
> the  e.g.:
> 
> -
> httpHeaderSecurity
> 
> Is that just an artifact from the XML editor/viewer you are using?
> 
> I can see these headers which should also be coming from the
> HttpHeaderSecurityFilter:
> 
> > X-Content-Type-Options nosniff
> > X-Frame-OptionsSAMEORIGIN
> > X-XSS-Protection   1
> 
> (Although the documentation suggests that the value for X-XSS-Protection
> should be "1; mode=block" and it isn't in the above header value.)
> 
> Are you able to change the configuration and/or add some code/config?
> 
> -chris
> 
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Tuesday, April 25, 2023 10:04 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: OT: hsts in Tomcat 9.0.73
> >>
> >> Jon,
> >>
> >> On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> It's the Server level web.xml in conf
> >>
> >> So it applies to all web applications.
> >>
> >> I would recommend that you change that configuration to:
> >>
> >> 1. Be present in your own web application's WEB-INF/web.xml file and 2.
> >> Deploy a ROOT application which has only a few things in it and 3. Be
> >> present in webapps/ROOT/WEB-INF/web.xml
> >>
> >> Having a missing ROOT application can cause a few weird things to
> happen.
> >> Having the ROOT means that you can always return e.g. a 404 response
> >> even if there is no application deployed on /foo just in case.
> >> (This may have changed in the past few years, it used to be that a
> >> request for /foo would return 400 or something similar instead of 404).
> >>
> >> It also means that your Tomcat installation doesn't have to be
> >> re-customized any time you upgrade it: just deploy your dummy-ROOT
> >> and your own application and you are all good.
> >>
> >> What does your  look like for port 8443?
> >>
> >> -chris
> >>
>  -Original Message-
>  From: Christopher Schultz 
>  Sent: Tuesday, April 25, 2023 9:15 AM
>  To: users@tomcat.apache.org
>  Subject: Re: OT: hsts in Tomcat 9.0.73
> 
>  Jon,
> 
>  On 4/20/23 16:39, 

Re: How to setup client certificate based authentication in Tomcat 9

[Christopher Schultz]

Parkar,

On 4/26/23 10:34, Patkar Omkar Anant wrote:

I am a bit newbie to this domain of client certificate-based
authentication. We have two applications … A(server) and B(client).

Web application A runs on Apache Tomcat 9.0.52. (it’s a REST API
based application). Application B invokes the rest api of application
A.

Now we want to introduce client certificate-based authentication
between A and B.
Good for you. I wish more and more services would (a) offer this and (b) 
actually use it.



So far based on information I have gathered from the internet all I
have got is different pieces, but I am not able to connect the dots
how to setup or configure tomcat (where A is hosted) to achieve this
requirement. >
I have been provided certificate by application B that is going to
access our application A.
Good so far. You need to configure Application A (server) with a "trust 
store" which contains that certificate.



But what are realms, how to map them with the certificate provided to
us and configure that realm in tomcat, where to store the certificate
provided by client, how to enforce webapp on system A to go for
client certificate authentication etc…these dots I am not able to
connect.

You are very unlikely to need a Realm at all.

Will you be requiring a client cert for every connection, or is it only 
for some users?



It would be great and appreciated, if someone can guide me the
correct sequence and steps I should follow ? … basically, help me to
connect the dots. 
In order to get Tomcat to request and/or process a client's TLS 
certificate, you need to alter your  to include some of these:


(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support)

truststoreFile (points to the JKS or P12 (preferred) file that contains 
your trusted certificates)


certificateVerification (choose either "optional" for requesting but not 
requiring it for all clients or "required" to require a certificate to 
be presented by all clients)


If you just want to require all requests to present that certificate, 
then you need:


certificateVerification="required"
truststoreFile="mykeystore.p12"
truststorePassword="secret"

This should do all the checking you need. You should not even have to 
configure your web application to use CLIENT-CERT authentication unless 
you want to be able to identify the caller from within the application.


If you want that, reply and I can explain what happens next.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to setup client certificate based authentication in Tomcat 9

[Patkar Omkar Anant]

Hi,

I am a bit newbie to this domain of client certificate-based authentication. We 
have two applications … A(server) and B(client).
Web application A runs on Apache Tomcat 9.0.52. (it’s a REST API based 
application). Application B invokes the rest api of application A.

Now we want to introduce client certificate-based authentication between A and 
B. So far based on information I have gathered from the internet all I have got 
is different pieces, but I am not able to connect the dots how to setup or 
configure tomcat (where A is hosted) to achieve this requirement.

I have been provided certificate by application B that is going to access our 
application A.
But what are realms, how to map them with the certificate provided to us and 
configure that realm in tomcat, where to store the certificate provided by 
client, how to enforce webapp on system A to go for client certificate 
authentication etc…these dots I am not able to connect.

It would be great and appreciated, if someone can guide me the correct sequence 
and steps I should follow ? … basically, help me to connect the dots. 

Thanks and Regards
Omkar Patkar