Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
On Thu, Sep 07, 2017 at 04:07:25PM +0530, Mohammad Nayeem wrote: > We have installed apace and configured mod_jk connector along with a > load-balancer for 2 tomcat servers. > > We were able to successfully start apache and we got the login page of our > application hosted on it, but the functionality is lost. For example, when > we hit login button on home page, nothing happens. Also, we tried access > some specific web page using a direct url, we ended up with an error. > > Do you have any suggestion for me so that we can achieve the exact same > functionality that we had without apache in the front? Yes: o When you say, "we ended up with an error," tell us what the error message says. It is very difficult to diagnose an unknown error. o When you say, "nothing happens," what should happen, in detail? Check Tomcat's log files for the time at which nothing happened. Check your applications log files for that time. If the logs say nothing about the operation, then it's time to insert more logging in your application code, or attach a debugger and step through the code, to see what it is doing. o Your browser may have developer tools that can show you requests and responses, which may help you to determine what is happening. I like a Firefox add-on called Firebug, if you need a suggestion. o In general, if we are to help, we need a lot more detail than "it doesn't work." Too much information is better than too little. o My recollection is that this list does not forward attachments. If the evidence is too large to simply copy into an email body, you could post it on something like Pastebin or Github Gist and refer to the URL in your messages. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hello Olaf, We have tried yours as well as Chris's suggestions, but in both the cases the functionality of the application is lost. We have installed apace and configured mod_jk connector along with a load-balancer for 2 tomcat servers. We were able to successfully start apache and we got the login page of our application hosted on it, but the functionality is lost. For example, when we hit login button on home page, nothing happens. Also, we tried access some specific web page using a direct url, we ended up with an error. Do you have any suggestion for me so that we can achieve the exact same functionality that we had without apache in the front? Regards, Mohammad Nayeem -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat Users List <users@tomcat.apache.org> Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: > Hello Olaf, > > Thanks for your response! > > Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 server, since our header configuration is going to be static. > > Can you please help us in identifying which version of Apache HTTP Server we can use for Tomcat 6 version? Also, it will be great if you can share some guidelines on how to implement Apache in front of Tomcat. For completeness sake I'd like to answer a few of these questions, rather briefly. It seems that you're deep into implementing Christopher's solution of compiling the newer filters for Tomcat 6. Every current Apache httpd is fine, no version restriction. Especially: Choose one that will get updates for quite a while, not like the outdated Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the connection between Apache and tomcat. Once you've set this up, setting the headers is a matter of adding the "Header" directive to httpd's configuration. I understand though, that setting up the connection can be some task if you've never done that. Especially if you're using https, and also refer to it in your webapp's code (e.g. to validate client certs) - but as you give no clue you're doing that, I'm assuming you don't and the setup would be easy. Anyway, feel free to utilize the newer code - I just wanted this information to be in this thread as well. However, once you're done with it: Utilize even more newer code and prepare to migrate away from your discontinued tomcat version. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Chris, We currently have 7.0.42 version which does not support security headers, so we have taken jar files from 7.0.63 and replaced with the those in 7.0.42 library folder. We were able to successfully start our tomcat instance and we got the login page of our application hosted on it, but the functionality is lost. For example, when we hit login button on home page, nothing happens. Also, we tried access some specific web page using a direct url, we ended up with an error. Do you have any suggestion for me so that we can achieve the exact same functionality using libraries of 7.0.63? For your information, I have tried using more latest versions like Tomcat 8, but no luck. Regards, Mohammad Nayeem -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 01 June 2017 19:59 To: users@tomcat.apache.org Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote: > What should be name of the new JAR file that I would create for the > Filter classes? It doesn't matter. > There are multiple JAR files in lib folder. Does the name of these JAR > files have any significance? Not really. > My understanding is that as long as you have your code (.class > files) is present in any of the JAR files under "lib" folder, system > would get it. You don’t need to have a specific-named JAR files having > specific-named .class files. The .class files from all the jar files > under lib folder is considered as one big collection, and based on the > invoked classname its corresponding .class file gets executed from > that big code. Multiple JAR files with different names is setup just > for logical classification of classes. Please correct me if this is > not right. You are correct. There are problems if the same class exists in two separate JAR files, but that should not be a problem in the standard Tomcat installation, plus the JAR file that has a few (unique) classes from Tomcat 7 in there. Remember: Upgrade ASAP. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net <ch...@christopherschultz.net>] Sent: 31 May 2017 23:52 To: > users@tomcat.apache.org Subject: [External] Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: >> Can I simply use the JAR files from Tomcat 7 that contains executable >> code of filter classes (security headers), and put them into >> corresponding location in Tomcat 6? > > Definitely don't do that. But you could probably grab the compiled > .class files from Tomcat 7's binary distribution... just make sure you > have all of them. > > So, basically, create a new JAR file that contains only those Filter > classes (don't forget any inner classes that might be found in > separate .class files). > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you > have received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is prohibited. > Where allowed by local law, electronic communications with Accenture > and its affiliates, including e-mail and instant messaging (including > content), may be scanned by our systems for the purposes of > information security and assessment of internal compliance with > Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi 3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo /28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhd
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
Ghgfhch Dygugjfbjg Envoyé de mon smartphone BlackBerry 10. Message d'origine De: Christopher Schultz Envoyé: jeudi 8 juin 2017 18:43 À: users@tomcat.apache.org Répondre à: Tomcat Users List Objet: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shaik, On 6/8/17 1:18 AM, Shaik, Mohammad N. wrote: > Hi Olaf & Chris, > > By placing HTTPD 2.x server in front of Tomcat 6, is it possible to > hide Tomcat 6 from external world? I just don’t want people to find > out that I am using Tomcat 6, instead I want them to know that I am > using httpd 2.x server. Is this possible? > > I just need Apache HTTPD server to take care of headers and let > Tomcat do rest of the stuff (which it is already doing in my case). > Do I still need to configure anything other than headers in my > case? Not really. If you configure httpd -> Tomcat, then you can firewall-out everyone from your Tomcat server except the server running httpd. By default, httpd will return its own "Server" header so you don't even need to try to mask Tomcat's existence that way. - -chris > -Original Message- From: Olaf Kock > [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat > Users List <users@tomcat.apache.org> Subject: [External] Re: > Security Headers Implementation in Tomcat 6.x version > > Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: >> Hello Olaf, >> >> Thanks for your response! >> >> Based on your inputs, we are thinking to put Apache httpd in >> front of Tomcat 6 server, since our header configuration is going >> to be static. >> >> Can you please help us in identifying which version of Apache >> HTTP Server we can use for Tomcat 6 version? Also, it will be >> great if you can share some guidelines on how to implement Apache >> in front of Tomcat. > > For completeness sake I'd like to answer a few of these questions, > rather briefly. It seems that you're deep into implementing > Christopher's solution of compiling the newer filters for Tomcat > 6. > > Every current Apache httpd is fine, no version restriction. > Especially: Choose one that will get updates for quite a while, not > like the outdated Tomcat version you're running. Read on mod_proxy, > mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on > the connection between Apache and tomcat. Once you've set this up, > setting the headers is a matter of adding the "Header" directive to > httpd's configuration. I understand though, that setting up the > connection can be some task if you've never done that. Especially > if you're using https, and also refer to it in your webapp's code > (e.g. to validate client certs) - but as you give no clue you're > doing that, I'm assuming you don't and the setup would be easy. > > Anyway, feel free to utilize the newer code - I just wanted this > information to be in this thread as well. However, once you're done > with it: Utilize even more newer code and prepare to migrate away > from your discontinued tomcat version. > > Olaf > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If > you have received it in error, please notify the sender immediately > and delete the original. Any other use of the e-mail by you is > prohibited. Where allowed by local law, electronic communications > with Accenture and its affiliates, including e-mail and instant > messaging (including content), may be scanned by our systems for > the purposes of information security and assessment of internal > compliance with Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZOZqoAAoJEBzwKT+lPKRYVBAP/RotI8+S6dbEVYxNNJtwIoLT LzoBCrxF/VWva8CUqGNrWJNdjy4IUuwiB00zGYZpyXmvIVAjG8H+fq+pocYVTSLz 1q6ZiqLuw3yj2xottS2fBY3lQC3hQawGjP9IX+Y3/qq9lgGNificZ7ok2iBBhlrZ CiwiQSVuvpboawxYKl62kXB6c2pprzGqRZ1l6I+pcir/mMHJ6W0fYXrdxgEk8M9d aY7W0YRugVsCbuAHqpQ+1Jr2jv3+Wme1LknTV9+ixmbHnu0UecoI
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shaik, On 6/8/17 1:18 AM, Shaik, Mohammad N. wrote: > Hi Olaf & Chris, > > By placing HTTPD 2.x server in front of Tomcat 6, is it possible to > hide Tomcat 6 from external world? I just don’t want people to find > out that I am using Tomcat 6, instead I want them to know that I am > using httpd 2.x server. Is this possible? > > I just need Apache HTTPD server to take care of headers and let > Tomcat do rest of the stuff (which it is already doing in my case). > Do I still need to configure anything other than headers in my > case? Not really. If you configure httpd -> Tomcat, then you can firewall-out everyone from your Tomcat server except the server running httpd. By default, httpd will return its own "Server" header so you don't even need to try to mask Tomcat's existence that way. - -chris > -Original Message- From: Olaf Kock > [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat > Users List <users@tomcat.apache.org> Subject: [External] Re: > Security Headers Implementation in Tomcat 6.x version > > Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: >> Hello Olaf, >> >> Thanks for your response! >> >> Based on your inputs, we are thinking to put Apache httpd in >> front of Tomcat 6 server, since our header configuration is going >> to be static. >> >> Can you please help us in identifying which version of Apache >> HTTP Server we can use for Tomcat 6 version? Also, it will be >> great if you can share some guidelines on how to implement Apache >> in front of Tomcat. > > For completeness sake I'd like to answer a few of these questions, > rather briefly. It seems that you're deep into implementing > Christopher's solution of compiling the newer filters for Tomcat > 6. > > Every current Apache httpd is fine, no version restriction. > Especially: Choose one that will get updates for quite a while, not > like the outdated Tomcat version you're running. Read on mod_proxy, > mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on > the connection between Apache and tomcat. Once you've set this up, > setting the headers is a matter of adding the "Header" directive to > httpd's configuration. I understand though, that setting up the > connection can be some task if you've never done that. Especially > if you're using https, and also refer to it in your webapp's code > (e.g. to validate client certs) - but as you give no clue you're > doing that, I'm assuming you don't and the setup would be easy. > > Anyway, feel free to utilize the newer code - I just wanted this > information to be in this thread as well. However, once you're done > with it: Utilize even more newer code and prepare to migrate away > from your discontinued tomcat version. > > Olaf > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If > you have received it in error, please notify the sender immediately > and delete the original. Any other use of the e-mail by you is > prohibited. Where allowed by local law, electronic communications > with Accenture and its affiliates, including e-mail and instant > messaging (including content), may be scanned by our systems for > the purposes of information security and assessment of internal > compliance with Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZOZqoAAoJEBzwKT+lPKRYVBAP/RotI8+S6dbEVYxNNJtwIoLT LzoBCrxF/VWva8CUqGNrWJNdjy4IUuwiB00zGYZpyXmvIVAjG8H+fq+pocYVTSLz 1q6ZiqLuw3yj2xottS2fBY3lQC3hQawGjP9IX+Y3/qq9lgGNificZ7ok2iBBhlrZ CiwiQSVuvpboawxYKl62kXB6c2pprzGqRZ1l6I+pcir/mMHJ6W0fYXrdxgEk8M9d aY7W0YRugVsCbuAHqpQ+1Jr2jv3+Wme1LknTV9+ixmbHnu0UecoIhseWywDanrQD 1if8Rh/TtuT31wWKu7nn48llofjzmWwNRVjaFeNY9u/zjMkimcQ2B+shSuq81M5H BxcvutplbYhGWED2AS/G/OviNbC+JJiaDXgE+mrH31kNfH9WXS5DH+RZO0q1kxmy gXrBQ4M+XoZgloQQ4Y9kSRfEBeEccr3axtdo7FwpqJjCesLFSfCkUZgGHhOFuGAx JGG4zIu2JLAsNVXu76KSX7JNPvnWoqrYzmrV5uweDU3xf3Mls2A2LuxEOTe5ANOg jDVH6K6UbkplWHv
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Olaf & Chris, By placing HTTPD 2.x server in front of Tomcat 6, is it possible to hide Tomcat 6 from external world? I just don’t want people to find out that I am using Tomcat 6, instead I want them to know that I am using httpd 2.x server. Is this possible? I just need Apache HTTPD server to take care of headers and let Tomcat do rest of the stuff (which it is already doing in my case). Do I still need to configure anything other than headers in my case? Regards, Mohammad -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat Users List <users@tomcat.apache.org> Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: > Hello Olaf, > > Thanks for your response! > > Based on your inputs, we are thinking to put Apache httpd in front of Tomcat > 6 server, since our header configuration is going to be static. > > Can you please help us in identifying which version of Apache HTTP Server we > can use for Tomcat 6 version? Also, it will be great if you can share some > guidelines on how to implement Apache in front of Tomcat. For completeness sake I'd like to answer a few of these questions, rather briefly. It seems that you're deep into implementing Christopher's solution of compiling the newer filters for Tomcat 6. Every current Apache httpd is fine, no version restriction. Especially: Choose one that will get updates for quite a while, not like the outdated Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the connection between Apache and tomcat. Once you've set this up, setting the headers is a matter of adding the "Header" directive to httpd's configuration. I understand though, that setting up the connection can be some task if you've never done that. Especially if you're using https, and also refer to it in your webapp's code (e.g. to validate client certs) - but as you give no clue you're doing that, I'm assuming you don't and the setup would be easy. Anyway, feel free to utilize the newer code - I just wanted this information to be in this thread as well. However, once you're done with it: Utilize even more newer code and prepare to migrate away from your discontinued tomcat version. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
Am 02.06.2017 um 07:43 schrieb Shaik, Mohammad N.: > Hi Chris, > > My actual requirement was to implement 7 HTTP headers, out of > which 4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers (Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not addressed in any of the filters available in Tomcat 7, 8 & 9 versions. > > Is there any way that we implement these 3 headers in Tomcat? Sure. Look at the implementation for the 4 headers you found. Add three more, recompile. Alternatively, add another filter just for your 3 headers. As you're creating a solution for you exclusively, you may even completely hard code the values and conditions you need. There's no need for configuration or making it "ready for prime time" as nobody else will use this code under different circumstances. Or write your own servlet filter for the webapps you deploy (no need to go app-server side when the webapps do what's required themselves). In those servlet filters, set those headers under conditions that you determine yourself. Or (again, sorry) utilize httpd's mod_headers. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Chris, My actual requirement was to implement 7 HTTP headers, out of which 4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers (Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not addressed in any of the filters available in Tomcat 7, 8 & 9 versions. Is there any way that we implement these 3 headers in Tomcat? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 01 June 2017 19:59 To: users@tomcat.apache.org Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote: > What should be name of the new JAR file that I would create for the > Filter classes? It doesn't matter. > There are multiple JAR files in lib folder. Does the name of these JAR > files have any significance? Not really. > My understanding is that as long as you have your code (.class > files) is present in any of the JAR files under "lib" folder, system > would get it. You don’t need to have a specific-named JAR files having > specific-named .class files. The .class files from all the jar files > under lib folder is considered as one big collection, and based on the > invoked classname its corresponding .class file gets executed from > that big code. Multiple JAR files with different names is setup just > for logical classification of classes. Please correct me if this is > not right. You are correct. There are problems if the same class exists in two separate JAR files, but that should not be a problem in the standard Tomcat installation, plus the JAR file that has a few (unique) classes from Tomcat 7 in there. Remember: Upgrade ASAP. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To: > users@tomcat.apache.org Subject: [External] Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: >> Can I simply use the JAR files from Tomcat 7 that contains executable >> code of filter classes (security headers), and put them into >> corresponding location in Tomcat 6? > > Definitely don't do that. But you could probably grab the compiled > .class files from Tomcat 7's binary distribution... just make sure you > have all of them. > > So, basically, create a new JAR file that contains only those Filter > classes (don't forget any inner classes that might be found in > separate .class files). > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you > have received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is prohibited. > Where allowed by local law, electronic communications with Accenture > and its affiliates, including e-mail and instant messaging (including > content), may be scanned by our systems for the purposes of > information security and assessment of internal compliance with > Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi 3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo /28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET 0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE /XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS HGUlc2U0LgTmSYLe+vj6 =oY0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional comm
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote: > What should be name of the new JAR file that I would create for > the Filter classes? It doesn't matter. > There are multiple JAR files in lib folder. Does the name of these > JAR files have any significance? Not really. > My understanding is that as long as you have your code (.class > files) is present in any of the JAR files under "lib" folder, > system would get it. You don’t need to have a specific-named JAR > files having specific-named .class files. The .class files from all > the jar files under lib folder is considered as one big collection, > and based on the invoked classname its corresponding .class file > gets executed from that big code. Multiple JAR files with different > names is setup just for logical classification of classes. Please > correct me if this is not right. You are correct. There are problems if the same class exists in two separate JAR files, but that should not be a problem in the standard Tomcat installation, plus the JAR file that has a few (unique) classes from Tomcat 7 in there. Remember: Upgrade ASAP. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To: > users@tomcat.apache.org Subject: [External] Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: >> Can I simply use the JAR files from Tomcat 7 that contains >> executable code of filter classes (security headers), and put >> them into corresponding location in Tomcat 6? > > Definitely don't do that. But you could probably grab the compiled > .class files from Tomcat 7's binary distribution... just make sure > you have all of them. > > So, basically, create a new JAR file that contains only those > Filter classes (don't forget any inner classes that might be found > in separate .class files). > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If > you have received it in error, please notify the sender immediately > and delete the original. Any other use of the e-mail by you is > prohibited. Where allowed by local law, electronic communications > with Accenture and its affiliates, including e-mail and instant > messaging (including content), may be scanned by our systems for > the purposes of information security and assessment of internal > compliance with Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi 3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo /28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET 0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE /XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS HGUlc2U0LgTmSYLe+vj6 =oY0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Chris, What should be name of the new JAR file that I would create for the Filter classes? There are multiple JAR files in lib folder. Does the name of these JAR files have any significance? My understanding is that as long as you have your code (.class files) is present in any of the JAR files under "lib" folder, system would get it. You don’t need to have a specific-named JAR files having specific-named .class files. The .class files from all the jar files under lib folder is considered as one big collection, and based on the invoked classname its corresponding .class file gets executed from that big code. Multiple JAR files with different names is setup just for logical classification of classes. Please correct me if this is not right. - Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To: users@tomcat.apache.org Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: > Can I simply use the JAR files from Tomcat 7 that contains executable > code of filter classes (security headers), and put them into > corresponding location in Tomcat 6? Definitely don't do that. But you could probably grab the compiled .class files from Tomcat 7's binary distribution... just make sure you have all of them. So, basically, create a new JAR file that contains only those Filter classes (don't forget any inner classes that might be found in separate .class files). - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5 T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3 AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv mD63/FtqNHglnYULpUTS =jN8f -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com
Re: Security Headers Implementation in Tomcat 6.x version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: > Can I simply use the JAR files from Tomcat 7 that contains > executable code of filter classes (security headers), and put them > into corresponding location in Tomcat 6? Definitely don't do that. But you could probably grab the compiled .class files from Tomcat 7's binary distribution... just make sure you have all of them. So, basically, create a new JAR file that contains only those Filter classes (don't forget any inner classes that might be found in separate .class files). - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5 T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3 AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv mD63/FtqNHglnYULpUTS =jN8f -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Headers Implementation in Tomcat 6.x version
Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: > Hello Olaf, > > Thanks for your response! > > Based on your inputs, we are thinking to put Apache httpd in front of Tomcat > 6 server, since our header configuration is going to be static. > > Can you please help us in identifying which version of Apache HTTP Server we > can use for Tomcat 6 version? Also, it will be great if you can share some > guidelines on how to implement Apache in front of Tomcat. For completeness sake I'd like to answer a few of these questions, rather briefly. It seems that you're deep into implementing Christopher's solution of compiling the newer filters for Tomcat 6. Every current Apache httpd is fine, no version restriction. Especially: Choose one that will get updates for quite a while, not like the outdated Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the connection between Apache and tomcat. Once you've set this up, setting the headers is a matter of adding the "Header" directive to httpd's configuration. I understand though, that setting up the connection can be some task if you've never done that. Especially if you're using https, and also refer to it in your webapp's code (e.g. to validate client certs) - but as you give no clue you're doing that, I'm assuming you don't and the setup would be easy. Anyway, feel free to utilize the newer code - I just wanted this information to be in this thread as well. However, once you're done with it: Utilize even more newer code and prepare to migrate away from your discontinued tomcat version. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Headers Implementation in Tomcat 6.x version
Hi, 2017-05-31 13:37 GMT+03:00 Shaik, Mohammad N. < mohammad.n.sh...@accenture.com>: > > Hi Chris, > > Can I simply use the JAR files from Tomcat 7 that contains executable code of filter classes (security headers), and put them into corresponding location in Tomcat 6? I would not recommend that. You might easily hit variety of class loading problems. Just grab the java files and compile them against Tomcat/lib. Regards, Violeta > > Regards, > Mohammad > > -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: 30 May 2017 21:06 > To: users@tomcat.apache.org > Subject: Re: Security Headers Implementation in Tomcat 6.x version > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mohammad, > > On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > > Thanks for the valuable input, that helps!! We shall go with getting > > the source package of Tomcat 7, put them in Tomcat 6 and use the > > filters of Tomcat 7 in Tomcat 6. > > > > Can you please let me know from where I can get/download the source > > package of Tomcat 7? Also can you please share the location of the > > source package in Tomcat 6 so that we can replace it with the one from > > Tomcat 7? > > The source download for Tomcat 7 is in the same place all the other downloads are. > > You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. > > Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. > > A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. > > - -chris > > > -Original Message- From: Christopher Schultz > > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > > users@tomcat.apache.org Subject: Re: Security Headers Implementation > > in Tomcat 6.x version > > > > Mohammad, > > > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: > >> Based on your inputs, we are thinking to put Apache httpd in front of > >> Tomcat 6 server, since our header configuration is going to be > >> static. > > > > This might not be a bad idea for a number of reasons, but it is by no > > means required. > > > > You can download the Tomcat 7 source package and use the security > > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that > > actually requires Tomcat 7 to run. > > > >> Can you please help us in identifying which version of Apache HTTP > >> Server we can use for Tomcat 6 version? Also, it will be great if you > >> can share some guidelines on how to implement Apache in front of > >> Tomcat. > > All supported versions of Apache web server work with app supported > > versions of Tomcat (as well as Tomcat 6). You have several choices for > > how to connect them together, but the most straightforward is to use > > mod_proxy_http from httpd to Tomcat. > > Tomcat behaves exactly as it did before and requires no additional > > configuration unless you are moving TLS termination from Tomcat to > > httpd. If that's the case, there are many guides on the web as well as > > on Tomcat's Presentations Page[2] that document how to do that. > > > > Hope that helps, -chris > > > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > > http://tomcat.apache.org/presentations.html > > > > - > > > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > This message is for the designated recipient only and may contain > > privileged, proprietary, or otherwise confidential informa
Re: Security Headers Implementation in Tomcat 6.x version
Hi, 2017-05-31 13:34 GMT+03:00 Shaik, Mohammad N. < mohammad.n.sh...@accenture.com>: > > Hi Chris, > > I got the source files (.java) of the filter classes that I was looking for. > > Should we compile the source file against the servlet jar file(s) present in "[Tomcat]\lib\" Yes. Compile them against the jar files located in Tomcat/lib. The servlet API classes will be loaded from Tomcat/lib a.k.a. common loader. More you can find here: http://tomcat.apache.org/tomcat-6.0-doc/class-loader-howto.html#Class_Loader_Definitions - Common — This class loader contains additional classes that are made visible to both Tomcat internal classes and to all web applications. - WebappX — A class loader is created for each web application that is deployed in a single Tomcat instance. > or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there are multiple JAR files in both these locations. How to locate the exact JAR file which should be used to compile source files? > > My understanding is that as long as you have your code (.class files) in any of the JAR files under "lib" folder, system would get it. You don’t need to have specific code in specific JAR file. Code from all the jar files under lib folder is considered as one big code, and based on the class invoked its corresponding code gets executed from that one big code. Please correct me if this is not right. > > Also, should we include the filters in web.xml file under "[Tomcat]\conf\" folder or under "WEB-INF" folder of my application? The web.xml located in Tomcat/conf is the "global" one. The configurations there will be applied to every web application deployed on the Tomcat instance. So if you need to apply this filter to all web apps then place the definition and configurations there. Otherwise you can provide the filter definition and configurations in the WEB-INF/web.xml for a particular web app. Regards, Violeta > > > Regards, > Mohammad > > -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: 30 May 2017 21:06 > To: users@tomcat.apache.org > Subject: Re: Security Headers Implementation in Tomcat 6.x version > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mohammad, > > On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > > Thanks for the valuable input, that helps!! We shall go with getting > > the source package of Tomcat 7, put them in Tomcat 6 and use the > > filters of Tomcat 7 in Tomcat 6. > > > > Can you please let me know from where I can get/download the source > > package of Tomcat 7? Also can you please share the location of the > > source package in Tomcat 6 so that we can replace it with the one from > > Tomcat 7? > > The source download for Tomcat 7 is in the same place all the other downloads are. > > You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. > > Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. > > A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. > > - -chris > > > -Original Message- From: Christopher Schultz > > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > > users@tomcat.apache.org Subject: Re: Security Headers Implementation > > in Tomcat 6.x version > > > > Mohammad, > > > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: > >> Based on your inputs, we are thinking to put Apache httpd in front of > >> Tomcat 6 server, since our header configuration is going to be > >> static. > > > > This might not be a bad idea for a number of reasons, but it is by no > > means required. > > > > You can download the Tomcat 7 source package and use the security > > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that > > actually requires Tomcat
RE: Security Headers Implementation in Tomcat 6.x version
Hi Chris, Can I simply use the JAR files from Tomcat 7 that contains executable code of filter classes (security headers), and put them into corresponding location in Tomcat 6? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 30 May 2017 21:06 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > Thanks for the valuable input, that helps!! We shall go with getting > the source package of Tomcat 7, put them in Tomcat 6 and use the > filters of Tomcat 7 in Tomcat 6. > > Can you please let me know from where I can get/download the source > package of Tomcat 7? Also can you please share the location of the > source package in Tomcat 6 so that we can replace it with the one from > Tomcat 7? The source download for Tomcat 7 is in the same place all the other downloads are. You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > users@tomcat.apache.org Subject: Re: Security Headers Implementation > in Tomcat 6.x version > > Mohammad, > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: >> Based on your inputs, we are thinking to put Apache httpd in front of >> Tomcat 6 server, since our header configuration is going to be >> static. > > This might not be a bad idea for a number of reasons, but it is by no > means required. > > You can download the Tomcat 7 source package and use the security > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that > actually requires Tomcat 7 to run. > >> Can you please help us in identifying which version of Apache HTTP >> Server we can use for Tomcat 6 version? Also, it will be great if you >> can share some guidelines on how to implement Apache in front of >> Tomcat. > All supported versions of Apache web server work with app supported > versions of Tomcat (as well as Tomcat 6). You have several choices for > how to connect them together, but the most straightforward is to use > mod_proxy_http from httpd to Tomcat. > Tomcat behaves exactly as it did before and requires no additional > configuration unless you are moving TLS termination from Tomcat to > httpd. If that's the case, there are many guides on the web as well as > on Tomcat's Presentations Page[2] that document how to do that. > > Hope that helps, -chris > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > http://tomcat.apache.org/presentations.html > > - > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you > have received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is prohibited. > Where allowed by local law, electronic communications with Accenture > and its affiliates, including e-mail and instant messaging (including > content), may be scanned by our systems for the purposes of > information security and assessment of internal compliance with > Accenture policy. > __ > > > www.accenture.com > > - > > &
RE: Security Headers Implementation in Tomcat 6.x version
Hi Chris, I got the source files (.java) of the filter classes that I was looking for. Should we compile the source file against the servlet jar file(s) present in "[Tomcat]\lib\" or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there are multiple JAR files in both these locations. How to locate the exact JAR file which should be used to compile source files? My understanding is that as long as you have your code (.class files) in any of the JAR files under "lib" folder, system would get it. You don’t need to have specific code in specific JAR file. Code from all the jar files under lib folder is considered as one big code, and based on the class invoked its corresponding code gets executed from that one big code. Please correct me if this is not right. Also, should we include the filters in web.xml file under "[Tomcat]\conf\" folder or under "WEB-INF" folder of my application? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 30 May 2017 21:06 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > Thanks for the valuable input, that helps!! We shall go with getting > the source package of Tomcat 7, put them in Tomcat 6 and use the > filters of Tomcat 7 in Tomcat 6. > > Can you please let me know from where I can get/download the source > package of Tomcat 7? Also can you please share the location of the > source package in Tomcat 6 so that we can replace it with the one from > Tomcat 7? The source download for Tomcat 7 is in the same place all the other downloads are. You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > users@tomcat.apache.org Subject: Re: Security Headers Implementation > in Tomcat 6.x version > > Mohammad, > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: >> Based on your inputs, we are thinking to put Apache httpd in front of >> Tomcat 6 server, since our header configuration is going to be >> static. > > This might not be a bad idea for a number of reasons, but it is by no > means required. > > You can download the Tomcat 7 source package and use the security > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that > actually requires Tomcat 7 to run. > >> Can you please help us in identifying which version of Apache HTTP >> Server we can use for Tomcat 6 version? Also, it will be great if you >> can share some guidelines on how to implement Apache in front of >> Tomcat. > All supported versions of Apache web server work with app supported > versions of Tomcat (as well as Tomcat 6). You have several choices for > how to connect them together, but the most straightforward is to use > mod_proxy_http from httpd to Tomcat. > Tomcat behaves exactly as it did before and requires no additional > configuration unless you are moving TLS termination from Tomcat to > httpd. If that's the case, there are many guides on the web as well as > on Tomcat's Presentations Page[2] that document how to do that. > > Hope that helps, -chris > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > http://tomcat.apache.org/presentations.html > > - > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the design
Re: Security Headers Implementation in Tomcat 6.x version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > Thanks for the valuable input, that helps!! We shall go with > getting the source package of Tomcat 7, put them in Tomcat 6 and > use the filters of Tomcat 7 in Tomcat 6. > > Can you please let me know from where I can get/download the > source package of Tomcat 7? Also can you please share the location > of the source package in Tomcat 6 so that we can replace it with > the one from Tomcat 7? The source download for Tomcat 7 is in the same place all the other downloads are. You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > users@tomcat.apache.org Subject: Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: >> Based on your inputs, we are thinking to put Apache httpd in >> front of Tomcat 6 server, since our header configuration is going >> to be static. > > This might not be a bad idea for a number of reasons, but it is by > no means required. > > You can download the Tomcat 7 source package and use the security > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there > that actually requires Tomcat 7 to run. > >> Can you please help us in identifying which version of Apache >> HTTP Server we can use for Tomcat 6 version? Also, it will be >> great if you can share some guidelines on how to implement Apache >> in front of Tomcat. > All supported versions of Apache web server work with app > supported versions of Tomcat (as well as Tomcat 6). You have > several choices for how to connect them together, but the most > straightforward is to use mod_proxy_http from httpd to Tomcat. > Tomcat behaves exactly as it did before and requires no additional > configuration unless you are moving TLS termination from Tomcat to > httpd. If that's the case, there are many guides on the web as well > as on Tomcat's Presentations Page[2] that document how to do that. > > Hope that helps, -chris > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > http://tomcat.apache.org/presentations.html > > - > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If > you have received it in error, please notify the sender > immediately and delete the original. Any other use of the e-mail by > you is prohibited. Where allowed by local law, electronic > communications with Accenture and its affiliates, including e-mail > and instant messaging (including content), may be scanned by our > systems for the purposes of information security and assessment of > internal compliance with Accenture policy. > __ > > > www.accenture.com > > - > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLZFGAAoJEBzwKT+lPKRYFlEQAMWx2/ngj4vEeoQfZU4rRFlH 1Mscn61MUFJdrVBFkVF+NR86m8clUt8Kw1MKZNGexMXcKjrIllqnVPJUQxjyvgai
RE: Security Headers Implementation in Tomcat 6.x version
Hello Chris, Thanks for the valuable input, that helps!! We shall go with getting the source package of Tomcat 7, put them in Tomcat 6 and use the filters of Tomcat 7 in Tomcat 6. Can you please let me know from where I can get/download the source package of Tomcat 7? Also can you please share the location of the source package in Tomcat 6 so that we can replace it with the one from Tomcat 7? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: > Based on your inputs, we are thinking to put Apache httpd in front of > Tomcat 6 server, since our header configuration is going to be static. This might not be a bad idea for a number of reasons, but it is by no means required. You can download the Tomcat 7 source package and use the security filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that actually requires Tomcat 7 to run. > Can you please help us in identifying which version of Apache HTTP > Server we can use for Tomcat 6 version? Also, it will be great if you > can share some guidelines on how to implement Apache in front of > Tomcat. All supported versions of Apache web server work with app supported versions of Tomcat (as well as Tomcat 6). You have several choices for how to connect them together, but the most straightforward is to use mod_proxy_http from httpd to Tomcat. Tomcat behaves exactly as it did before and requires no additional configuration unless you are moving TLS termination from Tomcat to httpd. If that's the case, there are many guides on the web as well as on Tomcat's Presentations Page[2] that document how to do that. Hope that helps, - -chris [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] http://tomcat.apache.org/presentations.html -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLD3hAAoJEBzwKT+lPKRYPh0P/RiGWVDs8c/PsFdC8VmU8fBB V+EqkBd3SMeMK9l/2NtHW+MK/5BkkB5/2ebZiivCBYVTkUi4jaqnBvy981EJFcFb vxovSsFhkhAPnr2DtZcg98wkTJ5dwT7ze50Cx/VBeXVlZD8n/nh+Msv5a1Fab0qI dTzTGUwAguFwVZHkZX16LefqHvbvC6R5lJDCkqdtWx51KbDB4fY2TdVhzGK1vCEk Vgrg4uEhjrkS/d6YgU4VWY8gHF2202DbmGPyZjIlh8l3R9bFWUE5NEg0AokOAAxR AySanDW0J1QNKjm11KQuwynDVTqLGu9u9JBxKYsqsZsjjzSIpHFzVislI/lIbKBi RKb1m+Hsfm0LkmDX+9N47EKXG5B6HOenUjWnjy2BCBnkINPXSbGOPXrG4028hSmo NlPWGZTFSJnlcE4mLTxHZBQjPwgg2pmn/Ck4LsP9PFJITC3/2jtCpnwCv29pcxx8 ILG8On65M9uA2AdnhGucNvSpV5nsfPujhBQtB44A9Xd9V3ssdqn+hSgorZ4aMY7U XPGyiUV985D+9XKkaHY0gBWjLdEBRZisWV1k66QjAWXC3ekdxGQzyV47RehwRueQ 6Zcc5MuH1F/3okJpXlxSwnpwfLyfZZPjZrhVoyKMxAWj2ozkIqPcfcSw8cYxN5hr Fx+sOmqCwHww762nVlnZ =03C1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Headers Implementation in Tomcat 6.x version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: > Based on your inputs, we are thinking to put Apache httpd in front > of Tomcat 6 server, since our header configuration is going to be > static. This might not be a bad idea for a number of reasons, but it is by no means required. You can download the Tomcat 7 source package and use the security filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that actually requires Tomcat 7 to run. > Can you please help us in identifying which version of Apache HTTP > Server we can use for Tomcat 6 version? Also, it will be great if > you can share some guidelines on how to implement Apache in front > of Tomcat. All supported versions of Apache web server work with app supported versions of Tomcat (as well as Tomcat 6). You have several choices for how to connect them together, but the most straightforward is to use mod_proxy_http from httpd to Tomcat. Tomcat behaves exactly as it did before and requires no additional configuration unless you are moving TLS termination from Tomcat to httpd. If that's the case, there are many guides on the web as well as on Tomcat's Presentations Page[2] that document how to do that. Hope that helps, - -chris [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] http://tomcat.apache.org/presentations.html -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLD3hAAoJEBzwKT+lPKRYPh0P/RiGWVDs8c/PsFdC8VmU8fBB V+EqkBd3SMeMK9l/2NtHW+MK/5BkkB5/2ebZiivCBYVTkUi4jaqnBvy981EJFcFb vxovSsFhkhAPnr2DtZcg98wkTJ5dwT7ze50Cx/VBeXVlZD8n/nh+Msv5a1Fab0qI dTzTGUwAguFwVZHkZX16LefqHvbvC6R5lJDCkqdtWx51KbDB4fY2TdVhzGK1vCEk Vgrg4uEhjrkS/d6YgU4VWY8gHF2202DbmGPyZjIlh8l3R9bFWUE5NEg0AokOAAxR AySanDW0J1QNKjm11KQuwynDVTqLGu9u9JBxKYsqsZsjjzSIpHFzVislI/lIbKBi RKb1m+Hsfm0LkmDX+9N47EKXG5B6HOenUjWnjy2BCBnkINPXSbGOPXrG4028hSmo NlPWGZTFSJnlcE4mLTxHZBQjPwgg2pmn/Ck4LsP9PFJITC3/2jtCpnwCv29pcxx8 ILG8On65M9uA2AdnhGucNvSpV5nsfPujhBQtB44A9Xd9V3ssdqn+hSgorZ4aMY7U XPGyiUV985D+9XKkaHY0gBWjLdEBRZisWV1k66QjAWXC3ekdxGQzyV47RehwRueQ 6Zcc5MuH1F/3okJpXlxSwnpwfLyfZZPjZrhVoyKMxAWj2ozkIqPcfcSw8cYxN5hr Fx+sOmqCwHww762nVlnZ =03C1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Security Headers Implementation in Tomcat 6.x version
Hello Olaf, Thanks for your response! Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 server, since our header configuration is going to be static. Can you please help us in identifying which version of Apache HTTP Server we can use for Tomcat 6 version? Also, it will be great if you can share some guidelines on how to implement Apache in front of Tomcat. Regards, Mohammad Nayeem -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: 29 May 2017 13:53 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.: > We are using Tomcat 6.x version and we need to implement the following > headers in our environment. > > Headers: > 1) Strict-Transport-Security > 2) Content-Security-Policy > > 7) X-Robots-Tag > > When I checked the Tomcat 6 version webpage > (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D6.0-2Ddoc_config_filter.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=MmEr4IILdgkhxtcFHmAb7ZO1pGl9B2Gek5dFuSCIBKw= > ), I don't see any filters that implement any these headers. Some of them > are available in Tomcat 7 version webpage > (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D7.0-2Ddoc_config_filter.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=aSZ5lgpIY-aPi2TSYp6DDNykQA9QFD8ImYaIKp70gUA= > ), but we cannot upgrade to Tomcat 7.x version due to some constraints. > > Can you kindly guide me how to implement these headers in Tomcat 6.x version. > All your comments on this topic are welcome. As tomcat 6 is solid out of service for almost half a year already (see https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_tomcat-2D60-2Deol.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=4Z8PWPmO-QMztdwYP9hAotZazIQFlsSUO5SfDxrVjG4= ), you're between a rock and a hard place: Invest in a platform that's a potential security threat (it won't get any more updates) or invest in an upgrade. That out of the way, for most cases, just have an Apache httpd in front of tomcat and use its magic to tag most of your headers. For many it will be static configuration. If there's anything dynamic that you need, implement a servlet filter that just does the job. Hardcode it - you don't need a lot of configuration if you come up with a solution that's just used within your premises. If you have multiple web applications that all need the same filter, deploy the filter on all of them. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Headers Implementation in Tomcat 6.x version
Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.: > We are using Tomcat 6.x version and we need to implement the following > headers in our environment. > > Headers: > 1) Strict-Transport-Security > 2) Content-Security-Policy > > 7) X-Robots-Tag > > When I checked the Tomcat 6 version webpage > (https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html), I don't see > any filters that implement any these headers. Some of them are available in > Tomcat 7 version webpage > (https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html), but we cannot > upgrade to Tomcat 7.x version due to some constraints. > > Can you kindly guide me how to implement these headers in Tomcat 6.x version. > All your comments on this topic are welcome. As tomcat 6 is solid out of service for almost half a year already (see http://tomcat.apache.org/tomcat-60-eol.html), you're between a rock and a hard place: Invest in a platform that's a potential security threat (it won't get any more updates) or invest in an upgrade. That out of the way, for most cases, just have an Apache httpd in front of tomcat and use its magic to tag most of your headers. For many it will be static configuration. If there's anything dynamic that you need, implement a servlet filter that just does the job. Hardcode it - you don't need a lot of configuration if you come up with a solution that's just used within your premises. If you have multiple web applications that all need the same filter, deploy the filter on all of them. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
