Re: Security Vulnerability -Default files
Thank you Robert for your reply. If we upgrade the tomcat version from the current 8.5.38 to 8.5.61 will this remediate the findings or still we need to delete these files as suggested. Also, is this upgrade is straightforward, or do we need to perform the same with any specific steps, Please suggest. I am from a Windows Administrator background and hence facing these challenges, So expecting help from you and this group. On Thu, Jan 21, 2021 at 8:06 PM Robert Turner wrote: > Have a look at > https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html > . The documentation includes the recommendations made by your internal > security team, along with others. > > You may also want to upgrade to 8.5.61 or 9.0.41 to pick up the latest > security updates for Tomcat. (latest versions at time of writing) > > > If you are unsure how to delete the files as mentioned in your security > teams recommendations and the documentation, you have two approaches that I > can think of quickly: > > 1. Remove the files from the installation folder (by navigating to the > installed folder under program files, in "webapps" and removing the > files/folders). > > 2. Create a new CATALINA_BASE folder with only what you need, and > reconfigure the Windows service to use the new folder. (Use the Configure > Tomcat application shortcut, and change the "catalina.base" property passed > to Java when starting the service to point to your new folder with only the > things you need (start with a copy of the Tomcat installation folder, > remove "bin" and "lib" and the webapps/files you do not need.). This > approach avoids modifying the original installation files/folders. > > You may also be able to modify the installation settings of the application > using Add or Remove Programs in Windows Control Panel to remove the example > applications if you'd prefer that approach instead of #1 above, but that > might require reinstalling Tomcat again. > > Best of luck, > > Robert > > > On Thu, Jan 21, 2021 at 9:24 AM Nitin Kadam > wrote: > > > Hi Team, > > > > The internal security team reported below as Security findings. We do not > > have anyone from a Tomcat background and for same we need to know the > best > > steps to resolve this issue. > > > > "Delete the default index page and remove the example JSP and servlets. > > Follow the Tomcat or OWASP instructions to replace or modify the default > > error page." > > > > this is fiding from the Nessus tool, It would be great if someone helps > > with steps to resolve. > > > > APache tomcat version: 8.5.38 > > Operating system: Windows Server 2012 R2 > > > > > > -- > > Regards > > Nitin Kadam > > (9967688959) > > > -- Regards Nitin Kadam (9967688959)
Re: Security Vulnerability -Default files
Hi Darryl - The person who builds this is no more with the organization and in his absence, I have been asked to handle this, I am from a windows administrator background. We only have couple of web apps hosted so no frequent changes happened. There On Thu, Jan 21, 2021 at 8:49 PM Darryl Lewis wrote: > How do you run and support a server technology you know nothing about? > Someone must have built it, installed it, and support it. > > On 22/1/21, 1:25 am, "Nitin Kadam" wrote: > > Hi Team, > > The internal security team reported below as Security findings. We do > not > have anyone from a Tomcat background and for same we need to know the > best > steps to resolve this issue. > > "Delete the default index page and remove the example JSP and servlets. > Follow the Tomcat or OWASP instructions to replace or modify the > default > error page." > > this is fiding from the Nessus tool, It would be great if someone helps > with steps to resolve. > > APache tomcat version: 8.5.38 > Operating system: Windows Server 2012 R2 > > > -- > Regards > Nitin Kadam > (9967688959) > > -- Regards Nitin Kadam (9967688959)
Security Vulnerability -Default files
Hi Team, The internal security team reported below as Security findings. We do not have anyone from a Tomcat background and for same we need to know the best steps to resolve this issue. "Delete the default index page and remove the example JSP and servlets. Follow the Tomcat or OWASP instructions to replace or modify the default error page." this is fiding from the Nessus tool, It would be great if someone helps with steps to resolve. APache tomcat version: 8.5.38 Operating system: Windows Server 2012 R2 -- Regards Nitin Kadam (9967688959)
How to Set Content Security Policy headers in Tomcat 8.5.x
Hi All, Need to set the *Content security policy* header for Tomcat Web server (8.5..x) which hosted on Windows server 2012, As per the internal security team same is not a complaint can you please help me setting CSP filters for my Tomcat application hosted on windows server. below the screenshot from securityheaders.com [image: image.png] -- Regards Nitin Kadam
Apache Tomcat AJP File Inclusion Vulnerability (unauthenticated check)
Hello Team, We received vulnerability alert from Security team for "Apache Tomcat AJP File Inclusion Vulnerability (unauthenticated check)" and for remediation they suggested to updated tomcat with latest version. Can you please help to resolve same without upgrading the existing version i.e tomcat 8.5 -- Regards, NK
Tomcat 8.5 disabling port 80 listening
Hi Team, I have a tomcat 8.5 server configured in the production environment. As per requirement, we need to disable all 80 port listening from the application and only https (443) to be allowed. I have implemented SSL and the same is working fine. however, still, tomcat is showing listening on 80. so can we disable (comment ) port 80 connector from server.xml which will only allow access to the portal with Https. >From : To : -- Regards Nitin Kadam
Re: Content Security policy for Tomcat 8.5
Hello, Thanks for replying... My current tomcat version is 8.5.x hosted on windows 2012 R2 server and no other web server as fronted web server. CSP values shared with me is : "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.mycompany.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' *.mycompany.com data:; connect-src ‘self’ *. mycompany.com" I am new to Tomcat setup and able to add headerfilter for other header but didnt find much help for CSP ones On Fri, Oct 4, 2019 at 3:08 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Nitin, > > On 10/3/19 09:54, Nitin Kadam wrote: > > Hell All, > > > > Internal security team recommended to set *Content security policy* > > header for Web server as same is not complaint with security > > standard. can you please help me setting CSP filters for my Tomcat > > application hosted on windows server. > > Do you know the value you want to use for your CSP header? > > Enabling the header can be done in a number of ways, including using > http://tomcat.apache.org/tomcat-9.0-doc/rewrite.html > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2WajgACgkQHPApP6U8 > pFg9VxAAuhUwoIwgFmT23ynF/DNJxVaHVcIpu3v6ekHOE59T8mL4wd6s8356nw7G > tR19Q8S8aiRNiPWIfa9N5Ifis2p9KCJVCxck9PPxzqCVYM2wLaBWIzyoJz3GRQ4S > hDLdEhGJYEDUY6Oc1LLaa/ZhFz6+cb03NXRtmMT+ynVyO1w3BgL9+DbRhbqdbEd2 > SeFlAQTudakOcHe1nfy5r0pyaoGAVcPp5G6vLLtanWTPSpe2lWlRlW3Y6UAPFYBz > g2iNoIfsvIUR4sGcHcJXQZZ4hPFCvmOdziCXx1duG3P2ki4HZ11Zn3FyqfexCAwb > 7Di1f7m0kIZ52b/a6gDagZ5zg3FPKkDw4esW7ml0Bm73va4yD0hmg7Pv/nBIalcI > hNOl0fxpPnuq/XzfCzZM8ep7MweHD9U0xDnQQ6nVdLz8HjbM0fvUxe375brASGcT > KuCC3xqLy2xokVwNN+AAi5ccsOB+b5hPzF69XT4DlvZszTuwsYpIFCudfvVY/Zzk > SSogvNDGF5ERll7xVS6//NguwPfMFzeS7v01AtP+ojf6Bl4c6jEoH8mEgckTaVyR > R5kX9yeDOwnA2Q8DHOw32R748UcfoErophkGLbqpuS3uHIkQQQA0UuWgFWZHDUfl > H2DBkFtDmlCLQR4m8F6WCbANsllZvf9LQBfsysCDb66CvMep9wQ= > =oC/r > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Regards Nitin Kadam (9967688959)
Content Security policy for Tomcat 8.5
Hell All, Internal security team recommended to set *Content security policy* header for Web server as same is not complaint with security standard. can you please help me setting CSP filters for my Tomcat application hosted on windows server. -- Regards Nitin Kadam
Re: SSL Certificate Renewal
Hello, I want to renew current SSL certificate So I am confused. Do I need to recreate keystore and csr for new certificate. If I have to create new keystore, how I can create same on existing running setup. On Thu, Jun 13, 2019, 12:11 PM Ognjen Blagojevic < ognjen.d.blagoje...@gmail.com> wrote: > Nitin, > > On 13.6.2019. 07.37, Nitin Kadam wrote: > > I have apache tomcat server running with publicly signed SSL certificate > > configured in server.xml, the same certificate is expiring in next week, > I > > need steps to the to renew of same. > > *Server OS: Windows 2012 R2* > > *Apache Tomcat/8.5.38* > > > > 1. How to generate new CSR with new key alias > > 2. How to import the new. cert & intermediate certificate chain in .jks > > format > > 3. what about keystore & current key alias > > > > > > kindly guide me, as I will be performing same first time. > > You can find instructions here: > > > http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority > > Regards, > Ognjen >
SSL Certificate Renewal
Hello Team, I have apache tomcat server running with publicly signed SSL certificate configured in server.xml, the same certificate is expiring in next week, I need steps to the to renew of same. *Server OS: Windows 2012 R2* *Apache Tomcat/8.5.38* 1. How to generate new CSR with new key alias 2. How to import the new. cert & intermediate certificate chain in .jks format 3. what about keystore & current key alias kindly guide me, as I will be performing same first time. -- Regards Nitin Kadam
Apache 2.4.39 update for Ubuntu 14.04
Hello Team, I have ubuntu 14.04 web server with apache 2.4.33 package and with the latest release of 2.4.39 internal security asked to update same ASAP. when I do apt-cache policy its shows installed version 2.4.33 and candidate also 2.4.33. Can you please help here *apache2:* * Installed: 2.4.33-1+ubuntu14.04.1+deb.sury.org <http://deb.sury.org>+1* * Candidate: 2.4.33-1+ubuntu14.04.1+deb.sury.org <http://deb.sury.org>+1* * Version table:* * *** 2.4.33-1+ubuntu14.04.1+deb.sury.org <http://deb.sury.org>+1 0* *100 /var/lib/dpkg/status* -- Regards Nitin Kadam
Re: [OT] Tomcat Apache 7.0.79 upgrade to Latest version
Hello Mark, Thanks for your suggestion it's work like charm. On Thu, Mar 7, 2019, 6:13 PM Mark Thomas wrote: > On 07/03/2019 11:24, Nitin Kadam wrote: > > > > > Root Causejava.lang.TypeNotPresentException: > > Type javax.persistence.PersistenceUnit not present > > > > It looks like you are missing the JPA implementation. Check for > additional JARs that were added to your Tomcat 7 lib directory that you > didn't add in Tomcat 8. > > A better solution would be to package all the JARs the app depends on in > the WAR file. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: [OT] Tomcat Apache 7.0.79 upgrade to Latest version
) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Unknown Source) Root Causejava.lang.ClassNotFoundException: javax.persistence.PersistenceUnit org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1364) org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1185) java.lang.Class.forName0(Native Method) java.lang.Class.forName(Unknown Source) sun.reflect.generics.factory.CoreReflectionFactory.makeNamedType(Unknown Source) sun.reflect.generics.visitor.Reifier.visitClassTypeSignature(Unknown Source) sun.reflect.generics.tree.ClassTypeSignature.accept(Unknown Source) sun.reflect.generics.visitor.Reifier.reifyTypeArguments(Unknown Source) sun.reflect.generics.visitor.Reifier.visitClassTypeSignature(Unknown Source) sun.reflect.generics.tree.ClassTypeSignature.accept(Unknown Source) sun.reflect.generics.repository.ClassRepository.getSuperInterfaces(Unknown Source) java.lang.Class.getGenericInterfaces(Unknown Source) com.sun.jersey.core.spi.factory.InjectableProviderFactory.getMetaArguments(InjectableProviderFactory.java:122) com.sun.jersey.core.spi.factory.InjectableProviderFactory.add(InjectableProviderFactory.java:85) com.sun.jersey.core.spi.factory.InjectableProviderFactory$1.onAdd(InjectableProviderFactory.java:101) com.sun.jersey.core.spi.factory.InjectableProviderFactory$1.onAdd(InjectableProviderFactory.java:100) com.sun.jersey.core.spi.component.ProviderServices.getProvidersAndServices(ProviderServices.java:135) com.sun.jersey.core.spi.factory.InjectableProviderFactory.configure(InjectableProviderFactory.java:98) com.sun.jersey.server.impl.application.WebApplicationImpl.initiate(WebApplicationImpl.java:501) com.sun.jersey.server.impl.application.WebApplicationImpl.initiate(WebApplicationImpl.java:383) com.sun.jersey.spi.container.servlet.ServletContainer.initiate(ServletContainer.java:377) com.sun.jersey.spi.container.servlet.ServletContainer$InternalWebComponent.initiate(ServletContainer.java:242) com.sun.jersey.spi.container.servlet.WebComponent.load(WebComponent.java:449) com.sun.jersey.spi.container.servlet.WebComponent.init(WebComponent.java:169) com.sun.jersey.spi.container.servlet.ServletContainer.init(ServletContainer.java:281) com.sun.jersey.spi.container.servlet.ServletContainer.init(ServletContainer.java:442) javax.servlet.GenericServlet.init(GenericServlet.java:158) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Unknown Source) Note The full stack trace of the root cause is available in the server logs.Apache Tomcat/8.5.38 On Fri, Feb 22, 2019 at 6:58 PM John Dale wrote: > Your call. Not sure on the video .. your applications and particular > configuration will have bearing on the accuracy of the video. The > ability to revert if it doesn't work will be key. Don't be afraid to > take a deep breath and review the migration guides carefully. > > I'll try to check some email Saturday morning in case there is > something specific I can help out with. > > Good luck and again .. welcome to Tomcat, > > John > > > On 2/21/19, Niti
Re: Http insecure headers
Hello , We dint have any reverse proxy in middle layers and we have added filters in web.config only, Please find attached snaps of same. i am new to tomcat so didnt able to understand all terms. On Wed, Feb 27, 2019 at 9:20 PM logo wrote: > > > Hello Nitin, > > Am 27.02.2019 16:34, schrieb Nitin Kadam: > > > Hello Team, > > > > I have added below given filter and restarted tomcat service still it > shows Cache Control as private. > > Please help me on same. > > Pictures are stripped off the mailing list. so better send us text logs. > > > Nevertheless I told you before, the Cache-Control header may come from > your webapp. So you have to check the web.xml of the app for a possible > filter. Maybe it's also in the framework or the servlets itself. What is > happening if you request a resource from another context? > If it is set in the app, then possibly nothing in tomcat will be able to > remove it from the response (maybe a reverse proxy like apache or > nginx). > > Hope this helps. > > Peter > > > On Wed, Feb 27, 2019 at 2:54 PM logo wrote: > > > >> Hi Nitin, > >> > >> Am 27.02.2019 10:11, schrieb Nitin Kadam: > >>> Sorry for typo in earlier email, i was saying about ExpiresFilter only > >>> > >>> so how do i add this filter and failter mapping , Do i need to add > >>> both in existing httpHeaderSecurity > >>> > >>> > >>> > >>> ExpiresFilter > >>> > >>> org.apache.catalina.filters.ExpiresFilter > >>> > >>> ExpiresByType image > >>> access plus 10 days > >>> > >>> > >>> ExpiresByType text/css > >>> access plus 10 hours > >>> > >>> > >>> ExpiresByType application/javascript > >>> access plus 10 minutes > >>> > >>> > >>> > >>> ExpiresDefault > >>> access plus 0 seconds > >>> > >> > >> this is an extra entry. I don't know if you should really put this in > >> the global web.xml or rather in your applications web.xml. Maybe Mark > >> can let us know more about possible consequences? > >> > >> Add the ... AND the !!! > >> > >> Peter > >> > >>> > >>> > >>> On Wed, Feb 27, 2019 at 1:59 PM logo wrote: > >>> > >>>> Hello Nitin, > >>>> > >>>> Am 27.02.2019 08:52, schrieb Nitin Kadam: > >>>>> Hello, > >>>>> > >>>>> > >>>>> > >>>>> How can i change "Cache Control -private: to "Cache-Control: nostore" > >>>>> > >>>>> i searched and found that need to add express filters in web config > but > >>>>> not > >>>>> sure on where to add in filters. > >>>>> > >>>>> can you please guide me on same? > >>>>> > >>>> > >>>> as far as I can tell, that Header is already set by your application - > >>>> Tomcat will not set it by default. Not to "private" for sure. > >>>> So it may be necessary to change that in your config, maybe even code. > >>>> > >>>> Usually you would have to implement a CacheControl filter like the one > >>>> mentioned here at stackoverflow > >>>> https://stackoverflow.com/questions/2876250/tomcat-cache-control [1] > >>>> > >>>> I don't know if the new ExpiresFilter will let you set the > >>>> Cache-Control-Header to that necessary value (other than max-age=0). > >>>> > >>>> From my experience and the long history of many different browsers > >>>> using > >>>> different headers, the one header will maybe solve a vulnscan issue > >>>> but > >>>> not the compatibility with "all" browsers. > >>>> > >>>> Peter > >>>> > >>>> > >>>>> > >>>>> On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > >>>>> > >>>>> wrote: > >>>>> > >>>>>> Hi Nitin, > >>>>>> > >>>>>> Per se this can be done by enabling the > >>>>>> org.apache.catalina.filters.HttpHeaderSecurityFilter > >>>>>> in the global or your webapp's web.xml > >>&g
Re: Http insecure headers
Hello Team, I have added below given filter and restarted tomcat service still it shows Cache Control as private. Please help me on same. [image: image.png] On Wed, Feb 27, 2019 at 2:54 PM logo wrote: > Hi Nitin, > > Am 27.02.2019 10:11, schrieb Nitin Kadam: > > Sorry for typo in earlier email, i was saying about ExpiresFilter only > > > > so how do i add this filter and failter mapping , Do i need to add > > both in existing httpHeaderSecurity > > > > > > > > ExpiresFilter > > > > org.apache.catalina.filters.ExpiresFilter > > > > ExpiresByType image > > access plus 10 days > > > > > > ExpiresByType text/css > > access plus 10 hours > > > > > > ExpiresByType application/javascript > > access plus 10 minutes > > > > > > > > ExpiresDefault > > access plus 0 seconds > > > > this is an extra entry. I don't know if you should really put this in > the global web.xml or rather in your applications web.xml. Maybe Mark > can let us know more about possible consequences? > > Add the ... AND the !!! > > Peter > > > > > > > > On Wed, Feb 27, 2019 at 1:59 PM logo wrote: > > > >> Hello Nitin, > >> > >> Am 27.02.2019 08:52, schrieb Nitin Kadam: > >> > Hello, > >> > > >> > > >> > > >> > How can i change “Cache Control -private: to “Cache-Control: nostore” > >> > > >> > i searched and found that need to add express filters in web config > but > >> > not > >> > sure on where to add in filters. > >> > > >> > can you please guide me on same? > >> > > >> > >> as far as I can tell, that Header is already set by your application - > >> Tomcat will not set it by default. Not to "private" for sure. > >> So it may be necessary to change that in your config, maybe even code. > >> > >> Usually you would have to implement a CacheControl filter like the one > >> mentioned here at stackoverflow > >> https://stackoverflow.com/questions/2876250/tomcat-cache-control > >> > >> I don't know if the new ExpiresFilter will let you set the > >> Cache-Control-Header to that necessary value (other than max-age=0). > >> > >> From my experience and the long history of many different browsers > >> using > >> different headers, the one header will maybe solve a vulnscan issue > >> but > >> not the compatibility with "all" browsers. > >> > >> Peter > >> > >> > >> > > >> > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > >> > > >> > wrote: > >> > > >> >> Hi Nitin, > >> >> > >> >> Per se this can be done by enabling the > >> >> org.apache.catalina.filters.HttpHeaderSecurityFilter > >> >> in the global or your webapp‘s web.xml > >> >> > >> >> For CSP you should write your own Filter. > >> >> > >> >> Beware though that Content Security Policy is nothing that can be > >> >> enabled > >> >> without application knowhow, the right settings for your needs and > >> >> intensive testing. You may really break inline Javascript in your > >> >> pages > >> >> (css too). > >> >> > >> >> Please check out the great websites of Scott Helme on the Headers > >> >> https://Securityheaders.io or > >> >> https://scotthelme.co.uk/csp-cheat-sheet/ > >> >> > >> >> > >> >> Peter > >> >> > >> >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam < > nitinkadam1...@gmail.com > >> >: > >> >> > > >> >> > Hello Team > >> >> > > >> >> > Need help to enable below security headers in Apache tomcat 7.0.79 > >> >> > Operating system is windows 2012 R2 > >> >> > > >> >> > 1. Content security headers > >> >> > 2. HSTS header > >> >> > > >> >> > Regards > >> >> > Nitin > >> >> > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Regards Nitin Kadam (9967688959)
Re: Http insecure headers
Sorry for typo in earlier email, i was saying about ExpiresFilter only so how do i add this filter and failter mapping , Do i need to add both in existing httpHeaderSecurity ExpiresFilter org.apache.catalina.filters.ExpiresFilter ExpiresByType image access plus 10 days ExpiresByType text/css access plus 10 hours ExpiresByType application/javascript access plus 10 minutes ExpiresDefault access plus 0 seconds On Wed, Feb 27, 2019 at 1:59 PM logo wrote: > Hello Nitin, > > Am 27.02.2019 08:52, schrieb Nitin Kadam: > > Hello, > > > > > > > > How can i change “Cache Control -private: to “Cache-Control: nostore” > > > > i searched and found that need to add express filters in web config but > > not > > sure on where to add in filters. > > > > can you please guide me on same? > > > > as far as I can tell, that Header is already set by your application - > Tomcat will not set it by default. Not to "private" for sure. > So it may be necessary to change that in your config, maybe even code. > > Usually you would have to implement a CacheControl filter like the one > mentioned here at stackoverflow > https://stackoverflow.com/questions/2876250/tomcat-cache-control > > I don't know if the new ExpiresFilter will let you set the > Cache-Control-Header to that necessary value (other than max-age=0). > > From my experience and the long history of many different browsers using > different headers, the one header will maybe solve a vulnscan issue but > not the compatibility with "all" browsers. > > Peter > > > > > > On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online > > > > wrote: > > > >> Hi Nitin, > >> > >> Per se this can be done by enabling the > >> org.apache.catalina.filters.HttpHeaderSecurityFilter > >> in the global or your webapp‘s web.xml > >> > >> For CSP you should write your own Filter. > >> > >> Beware though that Content Security Policy is nothing that can be > >> enabled > >> without application knowhow, the right settings for your needs and > >> intensive testing. You may really break inline Javascript in your > >> pages > >> (css too). > >> > >> Please check out the great websites of Scott Helme on the Headers > >> https://Securityheaders.io or > >> https://scotthelme.co.uk/csp-cheat-sheet/ > >> > >> > >> Peter > >> > >> > Am 19.02.2019 um 19:13 schrieb Nitin Kadam >: > >> > > >> > Hello Team > >> > > >> > Need help to enable below security headers in Apache tomcat 7.0.79 > >> > Operating system is windows 2012 R2 > >> > > >> > 1. Content security headers > >> > 2. HSTS header > >> > > >> > Regards > >> > Nitin > >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Regards Nitin Kadam (9967688959)
Re: Http insecure headers
Hello, How can i change “Cache Control -private: to “Cache-Control: nostore” i searched and found that need to add express filters in web config but not sure on where to add in filters. can you please guide me on same? On Wed, Feb 20, 2019 at 3:28 AM Peter@Kreuser-Online wrote: > Hi Nitin, > > Per se this can be done by enabling the > org.apache.catalina.filters.HttpHeaderSecurityFilter > in the global or your webapp‘s web.xml > > For CSP you should write your own Filter. > > Beware though that Content Security Policy is nothing that can be enabled > without application knowhow, the right settings for your needs and > intensive testing. You may really break inline Javascript in your pages > (css too). > > Please check out the great websites of Scott Helme on the Headers > https://Securityheaders.io or https://scotthelme.co.uk/csp-cheat-sheet/ > > > Peter > > > Am 19.02.2019 um 19:13 schrieb Nitin Kadam : > > > > Hello Team > > > > Need help to enable below security headers in Apache tomcat 7.0.79 > > Operating system is windows 2012 R2 > > > > 1. Content security headers > > 2. HSTS header > > > > Regards > > Nitin > -- Regards Nitin Kadam (9967688959)
Re: [OT] Tomcat Apache 7.0.79 upgrade to Latest version
Hello , Thanks for the reply. Yes having the plan to remediate same on weekend, ALready informed them about Challenges of upgrading and impact of any failure. Current vulnerability CVE detected in 7.0.79 is showing is taken care in 7.0.91 tomcat version So thinking of upgrading to the same family version, Which I am thinking will be easier than upgrading to the latest version. Found below Link from Youtube and will be performing same, Please let know your thoughts on same. https://www.youtube.com/watch?v=Jvum4TsTnAQ On Thu, Feb 21, 2019 at 6:30 PM John Dale wrote: > Are you going to try to do this on Friday night? You might forward > some of our comments to your security team if they want you to change > a tire on a moving vehicle .. it's possible, but not the best > practice. > > Does your security team have the ability to allocate some more > computing resources to your project? > > On 2/21/19, Nitin Kadam wrote: > > FOr backup - I will be taking Snapshot backup before doing the upgrade > but > > also going to take folder backup from C: programme Files /Apache Tomcat > > folder. > > > > I am continuously getting emails from the internal security team for > > upgrading the version 7.0.79 to the latest version > > need to figure out this ASAP > > > > Apps are hosted in Web apps folders and there are few D3 apps > > which connected with SQL for database > > > > > > > > > > On Wed, Feb 20, 2019 at 9:45 PM John Dale wrote: > > > >> Without all of those early adopters to take the flack, we'd never know > >> where the enemy bases are .. or something like that. ;) > >> > >> I'm just very glad we have OpenJDK and that my code is very simple. > >> > >> Java 12 .. Uff da! > >> > >> > >> > >> On 2/20/19, Christopher Schultz wrote: > >> > -BEGIN PGP SIGNED MESSAGE- > >> > Hash: SHA256 > >> > > >> > John, > >> > > >> > On 2/20/19 10:58, John Dale wrote: > >> >> Points taken .. I have a great deal from my cloud provider on a > >> >> wheezy instance, so I have to see if I can negotiate to keep my > >> >> rate. I do a lot of custom MVC and security checks so things are > >> >> nice and tight and I haven't been hacked even though I get several > >> >> thousand attempts a day mostly from China and Iran. I'm also > >> >> kicking around whether to use James or keep using postfix for > >> >> email. With an upgrade to Java 8 I can use the latest james > >> >> release so I'll look into that. > >> >> > >> >> I've been struggling to find a nice block of time for a full > >> >> regression test. It's funny .. I was working for a bank a couple > >> >> of years back that was still on Java 1.6 and that's the way they > >> >> liked it. :) > >> >> > >> >> Did you see the road map for Java 10? Seems like we're moving a > >> >> little too fast sometimes .. > >> > > >> > Java 10's dead, baby. > >> > > >> > Java 11 will be a long-term-service release. Java 12 is already > >> > available for pre-release. > >> > > >> > The biggest step is from 8 -> 9/10/11. Once you are over that, it will > >> > be much better for everyone. > >> > > >> > I don't want to have to wait 10 years to get new stuff like TLS 1.3 > >> > support or the forthcoming HTTP/3, so I'm happy with the shorter > >> > development cycles Oracle has switched-over to. > >> > > >> > - -chris > >> > > >> >> On 2/20/19, Christopher Schultz > >> >> wrote: John, > >> >> > >> >> On 2/20/19 09:11, John Dale wrote: > >> >>>>> I'm thinking about migrating to 8 soon myself. Maybe I'll > >> >>>>> use this as an opportunity to get started on that .. but I > >> >>>>> think the last time I checked, OpenJDK 7 was supported on > >> >>>>> Wheezy, so I'm thinking I have more to do than just upgrade > >> >>>>> tomcat in my scenario. > >> >> > >> >> Yes. Wheezy is essentially unsupported and I would drop everything > >> >> and upgrade to at least Jessie like right now if I were you. > >> >> Stretch isn't much more work and you'll be good for a few years on > >> >> that. > >>
Re: [OT] Tomcat Apache 7.0.79 upgrade to Latest version
FOr backup - I will be taking Snapshot backup before doing the upgrade but also going to take folder backup from C: programme Files /Apache Tomcat folder. I am continuously getting emails from the internal security team for upgrading the version 7.0.79 to the latest version need to figure out this ASAP Apps are hosted in Web apps folders and there are few D3 apps which connected with SQL for database On Wed, Feb 20, 2019 at 9:45 PM John Dale wrote: > Without all of those early adopters to take the flack, we'd never know > where the enemy bases are .. or something like that. ;) > > I'm just very glad we have OpenJDK and that my code is very simple. > > Java 12 .. Uff da! > > > > On 2/20/19, Christopher Schultz wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > John, > > > > On 2/20/19 10:58, John Dale wrote: > >> Points taken .. I have a great deal from my cloud provider on a > >> wheezy instance, so I have to see if I can negotiate to keep my > >> rate. I do a lot of custom MVC and security checks so things are > >> nice and tight and I haven't been hacked even though I get several > >> thousand attempts a day mostly from China and Iran. I'm also > >> kicking around whether to use James or keep using postfix for > >> email. With an upgrade to Java 8 I can use the latest james > >> release so I'll look into that. > >> > >> I've been struggling to find a nice block of time for a full > >> regression test. It's funny .. I was working for a bank a couple > >> of years back that was still on Java 1.6 and that's the way they > >> liked it. :) > >> > >> Did you see the road map for Java 10? Seems like we're moving a > >> little too fast sometimes .. > > > > Java 10's dead, baby. > > > > Java 11 will be a long-term-service release. Java 12 is already > > available for pre-release. > > > > The biggest step is from 8 -> 9/10/11. Once you are over that, it will > > be much better for everyone. > > > > I don't want to have to wait 10 years to get new stuff like TLS 1.3 > > support or the forthcoming HTTP/3, so I'm happy with the shorter > > development cycles Oracle has switched-over to. > > > > - -chris > > > >> On 2/20/19, Christopher Schultz > >> wrote: John, > >> > >> On 2/20/19 09:11, John Dale wrote: > >>>>> I'm thinking about migrating to 8 soon myself. Maybe I'll > >>>>> use this as an opportunity to get started on that .. but I > >>>>> think the last time I checked, OpenJDK 7 was supported on > >>>>> Wheezy, so I'm thinking I have more to do than just upgrade > >>>>> tomcat in my scenario. > >> > >> Yes. Wheezy is essentially unsupported and I would drop everything > >> and upgrade to at least Jessie like right now if I were you. > >> Stretch isn't much more work and you'll be good for a few years on > >> that. > >> > >> Stretch has OpenJDK 8 packages. Current version is 1.8.0_181. > >> > >> Jessie looks like it only has OpenJDK 7 packages. I didn't check > >> the backports. > >> > >>>>> I'll need to update linux, Java, tomcat, then finally my > >>>>> apps. But I'm pretty CDO (that's like OCD, but alphabetical) > >>>>> about the platform independence of my apps, so that's going > >>>>> to be straightforward. > >> Make sure you don't waste time upgrading from Tomcat 7 to Tomcat 8. > >> Go directly to Tomcat 8.5, since 8.0 is no longer supported. > >> > >> -chris > >> > >>>>> On 2/20/19, Nitin Kadam wrote: > >>>>>> Thanks John for reply.. > >>>>>> > >>>>>> is there any documentation walkthrough for this upgrade > >>>>>> available? i am new to Tomcat and doing this 1st time, It > >>>>>> will be great help if anyone provide same. > >>>>>> > >>>>>> On Wed, Feb 20, 2019 at 6:49 PM Olaf Kock > >>>>>> wrote: > >>>>>> > >>>>>>> > >>>>>>> On 20.02.19 13:57, Nitin Kadam wrote: > >>>>>>>> Hello Team, > >>>>>>>> > >>>>>>>> Can you please guide how we can migrate seamlessly > >>>>>>>> from Tomcat apache 7.0.79 to 7.0.92 or any latest > >>>>>>>>
Re: Tomcat Apache 7.0.79 upgrade to Latest version
Hello Olaf, There are no such changes in original configuration except server.xml for SSL and web config for Http header filter, and yes application team deploying WAR to we app folders. I need to know below details. 1 How to take a backup before the upgrade (Main files). 2. How to migrate from one version to another version without losing applications configuration and data. 3. SSL configuration. 4. Do I need to uninstall the current version and then upgrade directly with the latest version? Regards Nitin On Wed, Feb 20, 2019 at 7:28 PM Olaf Kock wrote: > > On 20.02.19 14:47, Nitin Kadam wrote: > > Thanks John for reply.. > > > > is there any documentation walkthrough for this upgrade available? > > i am new to Tomcat and e to doing this 1st time, It will be great help > if anyone > > provide same. > > There's plenty of documentation on https://tomcat.apache.com - start > there and come back here if you don't understand the documentation with > specific questions. We don't know what's configured in your system, thus > can't provide a solution tailored for you. > > As John said in a different branch of this thread, upgrading is > typically easy. The less changes you've made to the default > configuration, the easier the migration will be. > > Start with the documents I've linked earlier, If you don't understand > parts of it, try to find that section in the regular documentation. If > you still have problems understanding, ask the questions here. > > For a "walkthrough" guide for your system, there are plenty of companies > available that provide consulting, as well as training to get you > started. But the documentation is actually quite good. > > Olaf > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Regards Nitin Kadam (9967688959)
Re: Tomcat Apache 7.0.79 upgrade to Latest version
Thanks John for reply.. is there any documentation walkthrough for this upgrade available? i am new to Tomcat and doing this 1st time, It will be great help if anyone provide same. On Wed, Feb 20, 2019 at 6:49 PM Olaf Kock wrote: > > On 20.02.19 13:57, Nitin Kadam wrote: > > Hello Team, > > > > Can you please guide how we can migrate seamlessly from Tomcat > > apache 7.0.79 to 7.0.92 or any latest version that 8.x or 9.x ( Windows > > 2012 R2 server)escr > > 7.0 to 8.0: https://tomcat.apache.org/migration-8.html > > 8.0 to 8.5: https://tomcat.apache.org/migration-85.html > > 8.x to 9.0: https://tomcat.apache.org/migration-9.html > > > the current environment is configured with SSL certificate ( SSL 443) > .jks > > store and needs to upgrade same due to security vulnerability detected by > > Qualys scanner. > > The documents have TLS documentation chapters. If you run into specific > problems, describe them here. > > Olaf > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Regards Nitin Kadam (9967688959)
Tomcat Apache 7.0.79 upgrade to Latest version
Hello Team, Can you please guide how we can migrate seamlessly from Tomcat apache 7.0.79 to 7.0.92 or any latest version that 8.x or 9.x ( Windows 2012 R2 server) the current environment is configured with SSL certificate ( SSL 443) .jks store and needs to upgrade same due to security vulnerability detected by Qualys scanner. -- Regards Nitin Kadam
Http insecure headers
Hello Team Need help to enable below security headers in Apache tomcat 7.0.79 Operating system is windows 2012 R2 1. Content security headers 2. HSTS header Regards Nitin
