Start embedded Tomcat 9.0.1 server from java code
Hello, I recently migrated from Tomcat 8.5.23 to Tomcat 9.0.1 Everything works as expected except tests :( I'm using following code to start embedded Tomcat and test CXF web services [1]. With Tomcat 9.0.1 tests failed, netstat -an displays port 8080 is not being listened What need to be changed? [1] https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/java/org/apache/openmeetings/webservice/AbstractWebServiceTest.java#L98 -- WBR Maxim aka solomax - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TomcatCon Where (and when) next?
Hi all, I'm starting to think about this again and the next event is looking like a workshop / training event in Manchester, UK in January. Details are still TBD so this is your opportunity to make suggestions to steer the event to what you want it to be. The rough outline is: - Manchester UK - 22nd or 15th January - central Manchester location - workshop / training format (lots of hands on - bring a laptop) - possible topics - TLS (how it works, configuring, debugging) - reverse proxy (how it works, configuring, debugging) - debugging with thread dumps - - cost ~£80 per person - delivered by me Feedback and suggested topics welcome. Mark On 04/10/17 18:46, Mark Thomas wrote: > Thanks for the suggestions. Pulling the various suggestions so far we have: > > - Frankfurt, Germany > - Paris, France > - Washington DC, USA > - Manchester, UK > > With some of those locations coming with a venue provided and/or > potential for sponsorship. > > My current thinking (and this is just my personal view although it is > informed by the suggestions) is: > > - Frankfurt > - possible for March (ish) 2018 > - rjung can get there easily > - I can get there fairly cheaply > > - Paris > - possible for after Frankfurt - May? (ish) 2018 > - remm is near by > - I can get there fairly cheaply > - at least one session in French (so not me for that one) > > - Washington > - too far / expensive for non-US committers without significant > sponsorship > - maybe wait and see what the plans are for ApacheCon in 2018 and run > TomcatCon alongside it much like we did in Miami > > - Manchester > - possible for January 2018 > - easy for me to get to > - asking a lot for other committers to travel so soon after London > - maybe run it more as training / workshop (i.e. large % of hands-on) > rather than a conference as this makes it less of an issue if it is > just me presenting > > > Between the conference and the recent security issues, I've been rather > busy these last few weeks so I want to take the opportunity to catch up > a bit before starting on the planning for these events. I wanted to get > the above down on email to give folks an opportunity to provide some > feedback. > > Also, as previously promised, I've put some notes on the organisation > and finances for the London event on the wiki: > > https://cwiki.apache.org/confluence/display/TOMCAT/TomcatCon > https://cwiki.apache.org/confluence/display/TOMCAT/TomcatCon+London+2017 > > Mark > > > On 27/09/17 22:14, Mark Thomas wrote: >> All, >> >> TomcatCon London 2017 took place yesterday and was even more successful >> than hoped. We sold 16 tickets for a full day of content from 3 Tomcat >> committers. >> >> I'd like to take this opportunity to once again thank our sponsors. >> >> Liferay generously provided the venue - including all the associated >> organisation. This provided us with a very nice venue, removed a >> significant amount of the organisational overhead and also removed all >> of the financial risk to the PMC members organising the event. >> >> c2b2 generously purchased 2 tickets and contributed towards the other >> expenses (speaker travel expenses, buying a microphone so we could >> record some of the sessions, name badges, etc,). >> >> We were able to record 4 out of the 6 sessions and these will be >> uploaded to YouTube and linked from the Tomcat website hopefully by the >> end of the week. >> >> As planned, the event generated a sufficient surplus to underwrite the >> next event. With this in mind, thoughts are already turning to future >> events. >> >> We are looking for suggestions for possible locations for the next >> event. Please add your suggestions to this thread. >> >> Some points to keep in mind: >> >> - Events close to one or more Tomcat committters will generally have >> lower overheads due to reduced travel costs. At this point that >> probably means Europe if the event runs without sponsorship. >> >> - Sponsorship to cover speaker travel and/or to provide a venue >> increases the options available with regard to location. I was >> serious when I said in a previous thread that the next event could be >> in India if a sponsor offered to provide a venue and cover speaker >> travel. >> >> If you'd like to discuss sponsorship options privately, please feel free >> to contact me off-list. >> >> With regards to timing, the aim is to try and organise one of these >> events every couple of months. That probably means we need to start >> thinking about event N+1 and N+2 in parallel. >> >> I look forward to your suggestions, >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
Re: TomCat 8.5.23 application not responding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Darin, On 11/2/17 12:55 PM, dbol...@dsginc.biz wrote: > I have a TomCat 8.5.23 service running on a Windows 2008 R2. It is > currently running a third party web commerce application. It will > run great until randomly one day the application will stop > responding. When you try to go to the application URL it sits and > spins. I look at the catalina log and found the below errors at > the time it stop responding. Is this a tomcat configuration issue > or application related. > > I see three specific warning/severe messages in Tomcat. > > Error one: 02-Nov-2017 10:03:23.787 WARNING > [http-nio-9080-exec-402] > com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.getForComponent > Unable to find component with ID searchPattern in view. > > Then right after there is a severe message error 2: > > 02-Nov-2017 10:03:23.896 SEVERE [http-nio-9080-exec-455] > org.restlet.engine.http.adapter.ServerAdapter.commit An exception > occured writing the response entity > org.apache.catalina.connector.ClientAbortException: > java.io.IOException: An established connection was aborted by the > software in your host machine > > Then the warning messages constant all the way down until this all > the way down until we had to reboot the service because of no > response. > > 02-Nov-2017 10:03:23.896 WARNING [http-nio-9080-exec-455] > org.restlet.engine.http.HttpServerHelper.handle Error while > handling an HTTP server call: 02-Nov-2017 10:03:23.896 INFO > [http-nio-9080-exec-455] > org.restlet.engine.http.HttpServerHelper.handle Error while > handling an HTTP server call java.lang.IllegalStateException: > Cannot call sendError() after the response has been committed Can you take some thread dumps to show what the Tomcat threads are doing? One thread dump will probably be very long, but go ahead and post the whole thing to the list. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln7ckIdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh8og/8CataalwbNgVBl+uK f3q1W5JEOZbXBR2dA3UuR/mtZxHa6azH7UMSiydRpcRVoRvP7z0aeDyGoW/u70MT 23RlkNFDVG5HP6Z6AIBKrDisQDwHYRM9iq2o3vPYW56mgDLC56yxUKnKUATHGpgB MYk0vzicWawt1+zF/GE7qshTtubt5HgqmFFckhFPWWTRqsvkiyYIbkq9o6iUNHZZ MMPwe9ppeKOVew2c5csqLaSS9MUdbYerEblvho7WfQSW8YjtL6UO2h523jQ1ZOUh Efju4cy9hEQdeEFcxEaBPKR3q6MMWW5frDB/UrUfopFnD/krdXcbYkTWO9DTjbJj EW+uMWfJzDGMBQDvRqprNrdYrLETgnAEv5ut7XSgyuu32+Atq/uot6fZmZ1XcfIQ RA45INBmXbt4YWhJ2cGJ3Zjzfzc8t7omIfWVgziSOMBi7gEnvEbCtj9E3X1ywltl +iNhsRfdfa8O65dJT+yOQZuQnJ0RGKJxAJFhlkO0dtl4ahjusE8M/0CqiX8nfJ4U xwEUBTdztukczgKRhj660f/wycGzUGz071LjygQ8kxqqLlUyXWGs3WigvBXxBNW1 lWqyBBOk61LoiQ4TCLFh5mowSPA81u3rdlYLwK723+RgRwv5jAeMNb5XoF8JcAIs 4RcbK5PHnVvv5gZRauiO4lhYAZY= =L4hB -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: security headers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 11/2/17 9:35 AM, André Warnier (tomcat) wrote: > You seem to be responding on the wrong thread, but here are some > answers anyway (will save Christopher some typing) (I was trying not to pollute this hijacked thread.) > When tomcat starts, it will check if APR is available. If yes, > tomcat will use it, because it is probably a bit faster than the > Java alternative. If APR is not available, tomcat will use the > standard Java functions, which are maybe a bit slower. By many orders of magnitude[1]. If you are terminating TLS at Tomcat, you'll definitely want to use APR or NIO+OpenSSL (which requires Tomcat 8.5 or Tomcat 9.0). Or if you only have very minimal traffic. - -chris [1] https://schd.ws/hosted_files/apachecon2017/93/TomcatOpenSSL.pdf See slides 15-17 -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln7cg0dHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjxGQ/9F2+Z2Lx6hnRv+gSd 0gCw/Is3QzRU6YSo7msa2hHMsZjDzeCBFBP6+kR+HDGY5iQY3aPXobJel054m/WT xWi8/mWZdONgWZW6JXkpM0zjKzUnAlkP9sfZFY0HqlgUZ6bjGuw8588oXFfnATGb jb0kQN56hypFub5dw9946RPZHrMc2yxBD62IVicEPGz9MBbKm5LRRbldxZtxmgOS zmTuxLi0N0Zy8BhFDOX/VIcokBdzIlTr1y7PxUGbPpMBJxT2ws82etS2Nod1BuIu MKd7th2fgvowmf3w8Eyk00r+yKxCbHvENfdbwiHMIH3n4PhGQ/GVXmdpe4f8ATKU JyWQzj32WibTvwtSAPvK9XYBWwdgpCxeSMTXaed8pCyKNAr/yPanAzD66wBUCd/N fXFbJLaxpq+2IxfcHYBrceiCT4SQ2//ghD3T4QTVwHkZ6zx1wsV8eBj15WVuGjau j/REfglgfaCLWb/HSrLNCwGirXxbyQ6fS2hGfmgHfDP+n6reUXZGEeKw5t4asbfi VsxGvKkFoTcGkG0OQDu4XW96vLHV2hXiOooY/8FN7+zWhT4Spb6TajWU/wUWbEbg Cp/V6fv2iVDNiz69zqph/EAQ4LMwThi5utMrPGzyXVMRLqRKSoPLl7lap0hYathj mr2PQWH5WVgSAVh6GW3jThWYHXE= =QZ/g -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
TomCat 8.5.23 application not responding
I have a TomCat 8.5.23 service running on a Windows 2008 R2. It is currently running a third party web commerce application. It will run great until randomly one day the application will stop responding. When you try to go to the application URL it sits and spins. I look at the catalina log and found the below errors at the time it stop responding. Is this a tomcat configuration issue or application related. I see three specific warning/severe messages in Tomcat. Error one: 02-Nov-2017 10:03:23.787 WARNING [http-nio-9080-exec-402] com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.getForComponent Unable to find component with ID searchPattern in view. Then right after there is a severe message error 2: 02-Nov-2017 10:03:23.896 SEVERE [http-nio-9080-exec-455] org.restlet.engine.http.adapter.ServerAdapter.commit An exception occured writing the response entity org.apache.catalina.connector.ClientAbortException: java.io.IOException: An established connection was aborted by the software in your host machine Then the warning messages constant all the way down until this all the way down until we had to reboot the service because of no response. 02-Nov-2017 10:03:23.896 WARNING [http-nio-9080-exec-455] org.restlet.engine.http.HttpServerHelper.handle Error while handling an HTTP server call: 02-Nov-2017 10:03:23.896 INFO [http-nio-9080-exec-455] org.restlet.engine.http.HttpServerHelper.handle Error while handling an HTTP server call java.lang.IllegalStateException: Cannot call sendError() after the response has been committed Darin Bolken | Programmer/Systems Support
RE: security headers
Yes that was the wrong thread but thank you. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, November 2, 2017 9:36 AM To: users@tomcat.apache.org Subject: Re: security headers You seem to be responding on the wrong thread, but here are some answers anyway (will save Christopher some typing) On 02.11.2017 13:55, Cheltenham, Chris wrote: > Mr. Shultz, > > I really appreciate your detailed answers. > Helps me out a lot. > > I am now thinking big picture because my application does not require > APR.. > > May I ask this , what exactly does APR give me for apache-tomcat? APR stands for "Apache Portable Run-time". Here is one explanation : It is a software library, containing a series of functions which are often used by Apache Foundation programs of all kinds (not only tomcat), particularly in what regards network interfaces and protocols. The people who make this APR, make sure that it is available for many platforms (Windows, Liux etc.), and that it is really optimised for each of these different platforms. To access the network, tomcat can do it in 2 different ways : 1) by using standard Java functions, which always work, but are not particularly optimised for any platform or 2) if APR is available, then tomcat can use instead, some calls which exist in the APR library, and which may be more optimised fo the current platform on which it is running When tomcat starts, it will check if APR is available. If yes, tomcat will use it, because it is probably a bit faster than the Java alternative. If APR is not available, tomcat will use the standard Java functions, which are maybe a bit slower. And just to let you know that, it will print a friendly message to the log, to let you know that maybe this is not the most optimal solution, in terms of ultimate tomcat performance. But this is just an informational message, and you can decide to ignore it, and run tomcat anyway without APR (which many people do, and most of the time they will not notice the difference). There is a secondary effect which needs to be considered when using SSL (HTTPS) : When tomcat finds and uses APR, it uses APR functions to access SSL sockets. And these APR functions rely on the underlying presence of SSL libraries provided by another package, named OpenSSL. These OpenSSL libraries require a particular format for the SSL keys and key stores. When tomcat does not find APR, it will use the builtin Java functions for SSL. And these builtin functions require another format for the SSL keys and key stores. So the parameters used in the elements are a bit different in each case. This is well explained in the tomcat on-line documentation. > > I am thinking to scrap the whole APR install. > > The reason I am trying to install it is because of my anal need to > have clean logs. I won't even try to interpret this.. > I can’t stand any messages suggesting or recommending that I do this > or that. They are just friendly messages, like the Amazon "other readers who have purchased this book, have also liked this : ... " > I have always tried to accommodate those recommendations. Ah, ok. I thought you could not stand them ? > However, in this case it may be the best to ignore the catalane log > message saying that I should install APR. > catalane ? that's been quite a bit in the news lately. But we're quite apolitical here, and so is tomcat usually. > > === > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Wednesday, November 1, 2017 4:04 PM > To: users@tomcat.apache.org > Subject: Re: security headers > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alejandro, > > On 11/1/17 3:37 PM, Alejandro Vargas M. wrote: >> Hello, >> >> I recently used on web.xml >> >> httpHeaderSecurity >> org.apache.catalina.filters.HttpHeaderSecurityFilter lter-class> >> >> true >> >> httpHeaderSecurity >> /* >> >> to enable some security headers, but it won't enable Content Security >> Policy header. Is there anyway to enable Content Security Policy at >> top server level??? > > What were you expecting that Filter to generate for you? A header which > disables everything? Not terribly useful. > > My recommendation would be to use something like url-rewrite[1] to add > headers to every outgoing response. url-rewrite has very similar > capabilities to httpd's mod_headers (and much more, of course). > > - -chris > > [1] http://tuckey.org/urlrewrite/ > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > >
Re: security headers
You seem to be responding on the wrong thread, but here are some answers anyway (will save Christopher some typing) On 02.11.2017 13:55, Cheltenham, Chris wrote: Mr. Shultz, I really appreciate your detailed answers. Helps me out a lot. I am now thinking big picture because my application does not require APR.. May I ask this , what exactly does APR give me for apache-tomcat? APR stands for "Apache Portable Run-time". Here is one explanation : It is a software library, containing a series of functions which are often used by Apache Foundation programs of all kinds (not only tomcat), particularly in what regards network interfaces and protocols. The people who make this APR, make sure that it is available for many platforms (Windows, Liux etc.), and that it is really optimised for each of these different platforms. To access the network, tomcat can do it in 2 different ways : 1) by using standard Java functions, which always work, but are not particularly optimised for any platform or 2) if APR is available, then tomcat can use instead, some calls which exist in the APR library, and which may be more optimised fo the current platform on which it is running When tomcat starts, it will check if APR is available. If yes, tomcat will use it, because it is probably a bit faster than the Java alternative. If APR is not available, tomcat will use the standard Java functions, which are maybe a bit slower. And just to let you know that, it will print a friendly message to the log, to let you know that maybe this is not the most optimal solution, in terms of ultimate tomcat performance. But this is just an informational message, and you can decide to ignore it, and run tomcat anyway without APR (which many people do, and most of the time they will not notice the difference). There is a secondary effect which needs to be considered when using SSL (HTTPS) : When tomcat finds and uses APR, it uses APR functions to access SSL sockets. And these APR functions rely on the underlying presence of SSL libraries provided by another package, named OpenSSL. These OpenSSL libraries require a particular format for the SSL keys and key stores. When tomcat does not find APR, it will use the builtin Java functions for SSL. And these builtin functions require another format for the SSL keys and key stores. So the parameters used in the elements are a bit different in each case. This is well explained in the tomcat on-line documentation. I am thinking to scrap the whole APR install. The reason I am trying to install it is because of my anal need to have clean logs. I won't even try to interpret this.. I can’t stand any messages suggesting or recommending that I do this or that. They are just friendly messages, like the Amazon "other readers who have purchased this book, have also liked this : ... " I have always tried to accommodate those recommendations. Ah, ok. I thought you could not stand them ? However, in this case it may be the best to ignore the catalane log message saying that I should install APR. catalane ? that's been quite a bit in the news lately. But we're quite apolitical here, and so is tomcat usually. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, November 1, 2017 4:04 PM To: users@tomcat.apache.org Subject: Re: security headers -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alejandro, On 11/1/17 3:37 PM, Alejandro Vargas M. wrote: Hello, I recently used on web.xml httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter lter-class> true httpHeaderSecurity /* to enable some security headers, but it won't enable Content Security Policy header. Is there anyway to enable Content Security Policy at top server level??? What were you expecting that Filter to generate for you? A header which disables everything? Not terribly useful. My recommendation would be to use something like url-rewrite[1] to add headers to every outgoing response. url-rewrite has very similar capabilities to httpd's mod_headers (and much more, of course). - -chris [1] http://tuckey.org/urlrewrite/ -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8 pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE //iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj 98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP 37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
Re: security headers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 11/2/17 8:55 AM, Cheltenham, Chris wrote: > Mr. Shultz, > > I really appreciate your detailed answers. Helps me out a lot. > > I am now thinking big picture because my application does not > require APR. Wrong thread? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln7GkwACgkQHPApP6U8 pFgqZBAAmUWC0MHbURbl2RF9pTVkybij6eEPeNNXUVYjZx+3tcJygV7k0uavm57b SNKGrZTtLoMx9PwYfzxstPb4Bb6bsxjxItAmLX8eePSgT5ZzL3aX2xZVUYqPrkTE 772IYExFuQUd0npH6yYVxamQNXXa0yFye8ajdSZoMfkWa5pMY0pgbnlpoLa//jxM tAKTqbl1fuC0JAe3X5R+276hXH+RX+OUbumkRYM66I99wLW6VRtiuCFlpx7snG4b ljcDVnHtqrob84uqYqu+Imce5RXXkeH6aPDezOQsQqhrUYTnlymA8hK43RoDY+RE EgK9j9+2U5embmULw9S1Yt08UnGxq5WIsiuxdyrFpQVE0L2SBCKhDE8RXNXRCkVQ dP3E2ImnrrtgFK1sqorozNd1G9DTYb90maojkAWEu/tZ676ejCnBQmnDkLzOdstq Mg3o2aT0kv0vcLQ4kFBlmCyltEVCfLakHLeuwuiHlNLs3aoqrxOLbzF5ufvc6mUk 2X2QPAuxr2xvqU0loyPOY1JbFSTynAc6vhLpKNXxAXH62P8ex2OJZo1iqp7bNjUL e+b1z4oUPXb57g+SSL6Ol76iYTP273lXMRD8xejUnrQZjlNtau5KMOGp1SYNqE+Y uIdJIp897DiL1xSIhEsVaguo9MXtmXHN/aq2sNNCFi8DWpkthtk= =GQu3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: security headers
Mr. Shultz, I really appreciate your detailed answers. Helps me out a lot. I am now thinking big picture because my application does not require APR. May I ask this , what exactly does APR give me for apache-tomcat? I am thinking to scrap the whole APR install. The reason I am trying to install it is because of my anal need to have clean logs. I can’t stand any messages suggesting or recommending that I do this or that. I have always tried to accommodate those recommendations. However, in this case it may be the best to ignore the catalane log message saying that I should install APR. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, November 1, 2017 4:04 PM To: users@tomcat.apache.org Subject: Re: security headers -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alejandro, On 11/1/17 3:37 PM, Alejandro Vargas M. wrote: > Hello, > > I recently used on web.xml > > httpHeaderSecurity > org.apache.catalina.filters.HttpHeaderSecurityFilter > > true > > httpHeaderSecurity > /* > > to enable some security headers, but it won't enable Content Security > Policy header. Is there anyway to enable Content Security Policy at > top server level??? What were you expecting that Filter to generate for you? A header which disables everything? Not terribly useful. My recommendation would be to use something like url-rewrite[1] to add headers to every outgoing response. url-rewrite has very similar capabilities to httpd's mod_headers (and much more, of course). - -chris [1] http://tuckey.org/urlrewrite/ -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8 pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE //iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj 98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP 37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+ Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58 wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8 G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8= =j1H+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org