Re: security headers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alejandro, On 11/3/17 5:54 PM, Alejandro Vargas M. wrote: > You can help with an example of this url-rewrite to add this > header, The url-rewrite user manual is quite comprehensive, including many examples. I'm sure you can figure it out. - -chris > On 11/01/2017 02:03 PM, Christopher Schultz wrote: Alejandro, > > On 11/1/17 3:37 PM, Alejandro Vargas M. wrote: >>>> Hello, >>>> >>>> I recently used on web.xml >>>> >>>> httpHeaderSecurity >>>> org.apache.catalina.filters.HttpHeaderSecurityFilter< /fi > >>>> lter-class> >>>> true >>>> >>>> >>>> httpHeaderSecurity >>>> /* >>>> >>>> to enable some security headers, but it won't enable Content >>>> Security Policy header. Is there anyway to enable Content >>>> Security Policy at top server level??? > What were you expecting that Filter to generate for you? A header > which disables everything? Not terribly useful. > > My recommendation would be to use something like url-rewrite[1] to > add headers to every outgoing response. url-rewrite has very > similar capabilities to httpd's mod_headers (and much more, of > course). > > -chris > > [1] http://tuckey.org/urlrewrite/ >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > -- > > > > > Alejandro Vargas Mayorga /*Gerente Desarrollo C.A. & C.*/ *Tel. > 506- 7232-3366* *Email:**alejandro.var...@kymsolutions.com* > <mailto:%20alejandro.var...@kymsolutions.com>* > **www.kymsolutions.com* <http://www.kymsolutions.com/>* Visite > nuestra aula virtual! * > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln90yQACgkQHPApP6U8 pFiy9xAAyLtluQed3UzQBa6CkoQCAWAL8rQkXiD2CVPaGRrH+cl79M6JzOoZxDXw L+9hmwVYZhDljctwmsmP4jzjJSib8A/VwLoGEakoz1T6XvECuBt6+E8vb98e63Lu EAeZcLPUQnluGsDdZmi5hIyS55/1L0Pr0Ef/3ndhmg6a8wKnHcwTaep+idrS73aT jUs7YQzY+x0+ZvSfpJMbuGP3aqaYA0D/BRKYY9PAfK1pZsYypyinyNljGDe1Ks2I NHs+KPX7h2QwF/hGaW7ERB9urLCz76cO2Q0nWTvXDuO5GrBbw3ADzouPxRYC1JF2 z+x94gK22pP0eQP+P+SabyDwEbhZj2MUdlK0XsHsMnCDSExzxCIf1ZG/l/fZ6Dk0 2ru1frNEBOTO/W5jqAzRHijvkEmNXzRKQuoCRMI28ybLI795qHn21RqRnzmAvhxg zyLqBrhq/Oyt3SUE+U0xYscABgjBV1a46lDyw4S3f/q4CK0lmgCTmftr+nfqodb6 75+RIL24jQYah0CQMryyS1tWP8zDprk1FO6zxam3owUoxOeB4YLz9t0Iv1UMVReT vfhQBulADm7rECegoRoDvDGII9sYqaRPqn2VN8bpFPPtQJPLghisZC9+XRXOy8Qr 3mDPEkQNRSfkkmZD6yVNU0lHccfidrmAgpLm5nYU00R4pEPOxtI= =USq0 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: security headers
You can help with an example of this url-rewrite to add this header, Please, Thanks in advance. On 11/01/2017 02:03 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alejandro, On 11/1/17 3:37 PM, Alejandro Vargas M. wrote: Hello, I recently used on web.xml httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter lter-class> true httpHeaderSecurity /* to enable some security headers, but it won't enable Content Security Policy header. Is there anyway to enable Content Security Policy at top server level??? What were you expecting that Filter to generate for you? A header which disables everything? Not terribly useful. My recommendation would be to use something like url-rewrite[1] to add headers to every outgoing response. url-rewrite has very similar capabilities to httpd's mod_headers (and much more, of course). - -chris [1] http://tuckey.org/urlrewrite/ -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8 pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE //iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj 98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP 37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+ Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58 wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8 G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8= =j1H+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Alejandro Vargas Mayorga /*Gerente Desarrollo C.A. & C.*/ *Tel. 506- 7232-3366* *Email:**alejandro.var...@kymsolutions.com* <mailto:%20alejandro.var...@kymsolutions.com>* **www.kymsolutions.com* <http://www.kymsolutions.com/>* Visite nuestra aula virtual! *
Re: security headers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 11/2/17 9:35 AM, André Warnier (tomcat) wrote: > You seem to be responding on the wrong thread, but here are some > answers anyway (will save Christopher some typing) (I was trying not to pollute this hijacked thread.) > When tomcat starts, it will check if APR is available. If yes, > tomcat will use it, because it is probably a bit faster than the > Java alternative. If APR is not available, tomcat will use the > standard Java functions, which are maybe a bit slower. By many orders of magnitude[1]. If you are terminating TLS at Tomcat, you'll definitely want to use APR or NIO+OpenSSL (which requires Tomcat 8.5 or Tomcat 9.0). Or if you only have very minimal traffic. - -chris [1] https://schd.ws/hosted_files/apachecon2017/93/TomcatOpenSSL.pdf See slides 15-17 -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln7cg0dHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjxGQ/9F2+Z2Lx6hnRv+gSd 0gCw/Is3QzRU6YSo7msa2hHMsZjDzeCBFBP6+kR+HDGY5iQY3aPXobJel054m/WT xWi8/mWZdONgWZW6JXkpM0zjKzUnAlkP9sfZFY0HqlgUZ6bjGuw8588oXFfnATGb jb0kQN56hypFub5dw9946RPZHrMc2yxBD62IVicEPGz9MBbKm5LRRbldxZtxmgOS zmTuxLi0N0Zy8BhFDOX/VIcokBdzIlTr1y7PxUGbPpMBJxT2ws82etS2Nod1BuIu MKd7th2fgvowmf3w8Eyk00r+yKxCbHvENfdbwiHMIH3n4PhGQ/GVXmdpe4f8ATKU JyWQzj32WibTvwtSAPvK9XYBWwdgpCxeSMTXaed8pCyKNAr/yPanAzD66wBUCd/N fXFbJLaxpq+2IxfcHYBrceiCT4SQ2//ghD3T4QTVwHkZ6zx1wsV8eBj15WVuGjau j/REfglgfaCLWb/HSrLNCwGirXxbyQ6fS2hGfmgHfDP+n6reUXZGEeKw5t4asbfi VsxGvKkFoTcGkG0OQDu4XW96vLHV2hXiOooY/8FN7+zWhT4Spb6TajWU/wUWbEbg Cp/V6fv2iVDNiz69zqph/EAQ4LMwThi5utMrPGzyXVMRLqRKSoPLl7lap0hYathj mr2PQWH5WVgSAVh6GW3jThWYHXE= =QZ/g -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: security headers
Yes that was the wrong thread but thank you. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, November 2, 2017 9:36 AM To: users@tomcat.apache.org Subject: Re: security headers You seem to be responding on the wrong thread, but here are some answers anyway (will save Christopher some typing) On 02.11.2017 13:55, Cheltenham, Chris wrote: > Mr. Shultz, > > I really appreciate your detailed answers. > Helps me out a lot. > > I am now thinking big picture because my application does not require > APR.. > > May I ask this , what exactly does APR give me for apache-tomcat? APR stands for "Apache Portable Run-time". Here is one explanation : It is a software library, containing a series of functions which are often used by Apache Foundation programs of all kinds (not only tomcat), particularly in what regards network interfaces and protocols. The people who make this APR, make sure that it is available for many platforms (Windows, Liux etc.), and that it is really optimised for each of these different platforms. To access the network, tomcat can do it in 2 different ways : 1) by using standard Java functions, which always work, but are not particularly optimised for any platform or 2) if APR is available, then tomcat can use instead, some calls which exist in the APR library, and which may be more optimised fo the current platform on which it is running When tomcat starts, it will check if APR is available. If yes, tomcat will use it, because it is probably a bit faster than the Java alternative. If APR is not available, tomcat will use the standard Java functions, which are maybe a bit slower. And just to let you know that, it will print a friendly message to the log, to let you know that maybe this is not the most optimal solution, in terms of ultimate tomcat performance. But this is just an informational message, and you can decide to ignore it, and run tomcat anyway without APR (which many people do, and most of the time they will not notice the difference). There is a secondary effect which needs to be considered when using SSL (HTTPS) : When tomcat finds and uses APR, it uses APR functions to access SSL sockets. And these APR functions rely on the underlying presence of SSL libraries provided by another package, named OpenSSL. These OpenSSL libraries require a particular format for the SSL keys and key stores. When tomcat does not find APR, it will use the builtin Java functions for SSL. And these builtin functions require another format for the SSL keys and key stores. So the parameters used in the elements are a bit different in each case. This is well explained in the tomcat on-line documentation. > > I am thinking to scrap the whole APR install. > > The reason I am trying to install it is because of my anal need to > have clean logs. I won't even try to interpret this.. > I can’t stand any messages suggesting or recommending that I do this > or that. They are just friendly messages, like the Amazon "other readers who have purchased this book, have also liked this : ... " > I have always tried to accommodate those recommendations. Ah, ok. I thought you could not stand them ? > However, in this case it may be the best to ignore the catalane log > message saying that I should install APR. > catalane ? that's been quite a bit in the news lately. But we're quite apolitical here, and so is tomcat usually. > > === > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Wednesday, November 1, 2017 4:04 PM > To: users@tomcat.apache.org > Subject: Re: security headers > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alejandro, > > On 11/1/17 3:37 PM, Alejandro Vargas M. wrote: >> Hello, >> >> I recently used on web.xml >> >> httpHeaderSecurity >> org.apache.catalina.filters.HttpHeaderSecurityFilter lter-class> >> >> true >> >> httpHeaderSecurity >> /* >> >> to enable some security headers, but it won't enable Content Security >> Policy header. Is there anyway to enable Content Security Policy at >> top server level??? > > What were you expecting that Filter to generate for you? A header which > disables everything? Not terribly useful. > > My recommendation would be to use something like url-rewrite[1] to add > headers to every outgoing response. ur
Re: security headers
You seem to be responding on the wrong thread, but here are some answers anyway (will save Christopher some typing) On 02.11.2017 13:55, Cheltenham, Chris wrote: Mr. Shultz, I really appreciate your detailed answers. Helps me out a lot. I am now thinking big picture because my application does not require APR.. May I ask this , what exactly does APR give me for apache-tomcat? APR stands for "Apache Portable Run-time". Here is one explanation : It is a software library, containing a series of functions which are often used by Apache Foundation programs of all kinds (not only tomcat), particularly in what regards network interfaces and protocols. The people who make this APR, make sure that it is available for many platforms (Windows, Liux etc.), and that it is really optimised for each of these different platforms. To access the network, tomcat can do it in 2 different ways : 1) by using standard Java functions, which always work, but are not particularly optimised for any platform or 2) if APR is available, then tomcat can use instead, some calls which exist in the APR library, and which may be more optimised fo the current platform on which it is running When tomcat starts, it will check if APR is available. If yes, tomcat will use it, because it is probably a bit faster than the Java alternative. If APR is not available, tomcat will use the standard Java functions, which are maybe a bit slower. And just to let you know that, it will print a friendly message to the log, to let you know that maybe this is not the most optimal solution, in terms of ultimate tomcat performance. But this is just an informational message, and you can decide to ignore it, and run tomcat anyway without APR (which many people do, and most of the time they will not notice the difference). There is a secondary effect which needs to be considered when using SSL (HTTPS) : When tomcat finds and uses APR, it uses APR functions to access SSL sockets. And these APR functions rely on the underlying presence of SSL libraries provided by another package, named OpenSSL. These OpenSSL libraries require a particular format for the SSL keys and key stores. When tomcat does not find APR, it will use the builtin Java functions for SSL. And these builtin functions require another format for the SSL keys and key stores. So the parameters used in the elements are a bit different in each case. This is well explained in the tomcat on-line documentation. I am thinking to scrap the whole APR install. The reason I am trying to install it is because of my anal need to have clean logs. I won't even try to interpret this.. I can’t stand any messages suggesting or recommending that I do this or that. They are just friendly messages, like the Amazon "other readers who have purchased this book, have also liked this : ... " I have always tried to accommodate those recommendations. Ah, ok. I thought you could not stand them ? However, in this case it may be the best to ignore the catalane log message saying that I should install APR. catalane ? that's been quite a bit in the news lately. But we're quite apolitical here, and so is tomcat usually. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, November 1, 2017 4:04 PM To: users@tomcat.apache.org Subject: Re: security headers -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alejandro, On 11/1/17 3:37 PM, Alejandro Vargas M. wrote: Hello, I recently used on web.xml httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter lter-class> true httpHeaderSecurity /* to enable some security headers, but it won't enable Content Security Policy header. Is there anyway to enable Content Security Policy at top server level??? What were you expecting that Filter to generate for you? A header which disables everything? Not terribly useful. My recommendation would be to use something like url-rewrite[1] to add headers to every outgoing response. url-rewrite has very similar capabilities to httpd's mod_headers (and much more, of course). - -chris [1] http://tuckey.org/urlrewrite/ -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8 pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE //iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj 98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP 37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC CofoYTMAY8KAlfw
Re: security headers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 11/2/17 8:55 AM, Cheltenham, Chris wrote: > Mr. Shultz, > > I really appreciate your detailed answers. Helps me out a lot. > > I am now thinking big picture because my application does not > require APR. Wrong thread? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln7GkwACgkQHPApP6U8 pFgqZBAAmUWC0MHbURbl2RF9pTVkybij6eEPeNNXUVYjZx+3tcJygV7k0uavm57b SNKGrZTtLoMx9PwYfzxstPb4Bb6bsxjxItAmLX8eePSgT5ZzL3aX2xZVUYqPrkTE 772IYExFuQUd0npH6yYVxamQNXXa0yFye8ajdSZoMfkWa5pMY0pgbnlpoLa//jxM tAKTqbl1fuC0JAe3X5R+276hXH+RX+OUbumkRYM66I99wLW6VRtiuCFlpx7snG4b ljcDVnHtqrob84uqYqu+Imce5RXXkeH6aPDezOQsQqhrUYTnlymA8hK43RoDY+RE EgK9j9+2U5embmULw9S1Yt08UnGxq5WIsiuxdyrFpQVE0L2SBCKhDE8RXNXRCkVQ dP3E2ImnrrtgFK1sqorozNd1G9DTYb90maojkAWEu/tZ676ejCnBQmnDkLzOdstq Mg3o2aT0kv0vcLQ4kFBlmCyltEVCfLakHLeuwuiHlNLs3aoqrxOLbzF5ufvc6mUk 2X2QPAuxr2xvqU0loyPOY1JbFSTynAc6vhLpKNXxAXH62P8ex2OJZo1iqp7bNjUL e+b1z4oUPXb57g+SSL6Ol76iYTP273lXMRD8xejUnrQZjlNtau5KMOGp1SYNqE+Y uIdJIp897DiL1xSIhEsVaguo9MXtmXHN/aq2sNNCFi8DWpkthtk= =GQu3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: security headers
Mr. Shultz, I really appreciate your detailed answers. Helps me out a lot. I am now thinking big picture because my application does not require APR. May I ask this , what exactly does APR give me for apache-tomcat? I am thinking to scrap the whole APR install. The reason I am trying to install it is because of my anal need to have clean logs. I can’t stand any messages suggesting or recommending that I do this or that. I have always tried to accommodate those recommendations. However, in this case it may be the best to ignore the catalane log message saying that I should install APR. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, November 1, 2017 4:04 PM To: users@tomcat.apache.org Subject: Re: security headers -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alejandro, On 11/1/17 3:37 PM, Alejandro Vargas M. wrote: > Hello, > > I recently used on web.xml > > httpHeaderSecurity > org.apache.catalina.filters.HttpHeaderSecurityFilter > > true > > httpHeaderSecurity > /* > > to enable some security headers, but it won't enable Content Security > Policy header. Is there anyway to enable Content Security Policy at > top server level??? What were you expecting that Filter to generate for you? A header which disables everything? Not terribly useful. My recommendation would be to use something like url-rewrite[1] to add headers to every outgoing response. url-rewrite has very similar capabilities to httpd's mod_headers (and much more, of course). - -chris [1] http://tuckey.org/urlrewrite/ -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8 pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE //iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj 98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP 37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+ Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58 wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8 G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8= =j1H+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: security headers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alejandro, On 11/1/17 3:37 PM, Alejandro Vargas M. wrote: > Hello, > > I recently used on web.xml > > httpHeaderSecurity > org.apache.catalina.filters.HttpHeaderSecurityFilter > > true > > httpHeaderSecurity > /* > > to enable some security headers, but it won't enable Content > Security Policy header. Is there anyway to enable Content Security > Policy at top server level??? What were you expecting that Filter to generate for you? A header which disables everything? Not terribly useful. My recommendation would be to use something like url-rewrite[1] to add headers to every outgoing response. url-rewrite has very similar capabilities to httpd's mod_headers (and much more, of course). - -chris [1] http://tuckey.org/urlrewrite/ -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8 pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE //iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj 98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP 37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+ Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58 wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8 G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8= =j1H+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
security headers
Hello, I recently used on web.xml httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter true httpHeaderSecurity /* to enable some security headers, but it won't enable Content Security Policy header. Is there anyway to enable Content Security Policy at top server level??? Thanks in advance. --
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
On Thu, Sep 07, 2017 at 04:07:25PM +0530, Mohammad Nayeem wrote: > We have installed apace and configured mod_jk connector along with a > load-balancer for 2 tomcat servers. > > We were able to successfully start apache and we got the login page of our > application hosted on it, but the functionality is lost. For example, when > we hit login button on home page, nothing happens. Also, we tried access > some specific web page using a direct url, we ended up with an error. > > Do you have any suggestion for me so that we can achieve the exact same > functionality that we had without apache in the front? Yes: o When you say, "we ended up with an error," tell us what the error message says. It is very difficult to diagnose an unknown error. o When you say, "nothing happens," what should happen, in detail? Check Tomcat's log files for the time at which nothing happened. Check your applications log files for that time. If the logs say nothing about the operation, then it's time to insert more logging in your application code, or attach a debugger and step through the code, to see what it is doing. o Your browser may have developer tools that can show you requests and responses, which may help you to determine what is happening. I like a Firefox add-on called Firebug, if you need a suggestion. o In general, if we are to help, we need a lot more detail than "it doesn't work." Too much information is better than too little. o My recollection is that this list does not forward attachments. If the evidence is too large to simply copy into an email body, you could post it on something like Pastebin or Github Gist and refer to the URL in your messages. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hello Olaf, We have tried yours as well as Chris's suggestions, but in both the cases the functionality of the application is lost. We have installed apace and configured mod_jk connector along with a load-balancer for 2 tomcat servers. We were able to successfully start apache and we got the login page of our application hosted on it, but the functionality is lost. For example, when we hit login button on home page, nothing happens. Also, we tried access some specific web page using a direct url, we ended up with an error. Do you have any suggestion for me so that we can achieve the exact same functionality that we had without apache in the front? Regards, Mohammad Nayeem -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat Users List Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: > Hello Olaf, > > Thanks for your response! > > Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 server, since our header configuration is going to be static. > > Can you please help us in identifying which version of Apache HTTP Server we can use for Tomcat 6 version? Also, it will be great if you can share some guidelines on how to implement Apache in front of Tomcat. For completeness sake I'd like to answer a few of these questions, rather briefly. It seems that you're deep into implementing Christopher's solution of compiling the newer filters for Tomcat 6. Every current Apache httpd is fine, no version restriction. Especially: Choose one that will get updates for quite a while, not like the outdated Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the connection between Apache and tomcat. Once you've set this up, setting the headers is a matter of adding the "Header" directive to httpd's configuration. I understand though, that setting up the connection can be some task if you've never done that. Especially if you're using https, and also refer to it in your webapp's code (e.g. to validate client certs) - but as you give no clue you're doing that, I'm assuming you don't and the setup would be easy. Anyway, feel free to utilize the newer code - I just wanted this information to be in this thread as well. However, once you're done with it: Utilize even more newer code and prepare to migrate away from your discontinued tomcat version. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Chris, We currently have 7.0.42 version which does not support security headers, so we have taken jar files from 7.0.63 and replaced with the those in 7.0.42 library folder. We were able to successfully start our tomcat instance and we got the login page of our application hosted on it, but the functionality is lost. For example, when we hit login button on home page, nothing happens. Also, we tried access some specific web page using a direct url, we ended up with an error. Do you have any suggestion for me so that we can achieve the exact same functionality using libraries of 7.0.63? For your information, I have tried using more latest versions like Tomcat 8, but no luck. Regards, Mohammad Nayeem -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 01 June 2017 19:59 To: users@tomcat.apache.org Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote: > What should be name of the new JAR file that I would create for the > Filter classes? It doesn't matter. > There are multiple JAR files in lib folder. Does the name of these JAR > files have any significance? Not really. > My understanding is that as long as you have your code (.class > files) is present in any of the JAR files under "lib" folder, system > would get it. You don’t need to have a specific-named JAR files having > specific-named .class files. The .class files from all the jar files > under lib folder is considered as one big collection, and based on the > invoked classname its corresponding .class file gets executed from > that big code. Multiple JAR files with different names is setup just > for logical classification of classes. Please correct me if this is > not right. You are correct. There are problems if the same class exists in two separate JAR files, but that should not be a problem in the standard Tomcat installation, plus the JAR file that has a few (unique) classes from Tomcat 7 in there. Remember: Upgrade ASAP. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net ] Sent: 31 May 2017 23:52 To: > users@tomcat.apache.org Subject: [External] Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: >> Can I simply use the JAR files from Tomcat 7 that contains executable >> code of filter classes (security headers), and put them into >> corresponding location in Tomcat 6? > > Definitely don't do that. But you could probably grab the compiled > .class files from Tomcat 7's binary distribution... just make sure you > have all of them. > > So, basically, create a new JAR file that contains only those Filter > classes (don't forget any inner classes that might be found in > separate .class files). > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you > have received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is prohibited. > Where allowed by local law, electronic communications with Accenture > and its affiliates, including e-mail and instant messaging (including > content), may be scanned by our systems for the purposes of > information security and assessment of internal compliance with > Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi 3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo /28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET 0G5OBI
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
Ghgfhch Dygugjfbjg Envoyé de mon smartphone BlackBerry 10. Message d'origine De: Christopher Schultz Envoyé: jeudi 8 juin 2017 18:43 À: users@tomcat.apache.org Répondre à: Tomcat Users List Objet: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shaik, On 6/8/17 1:18 AM, Shaik, Mohammad N. wrote: > Hi Olaf & Chris, > > By placing HTTPD 2.x server in front of Tomcat 6, is it possible to > hide Tomcat 6 from external world? I just don’t want people to find > out that I am using Tomcat 6, instead I want them to know that I am > using httpd 2.x server. Is this possible? > > I just need Apache HTTPD server to take care of headers and let > Tomcat do rest of the stuff (which it is already doing in my case). > Do I still need to configure anything other than headers in my > case? Not really. If you configure httpd -> Tomcat, then you can firewall-out everyone from your Tomcat server except the server running httpd. By default, httpd will return its own "Server" header so you don't even need to try to mask Tomcat's existence that way. - -chris > -Original Message- From: Olaf Kock > [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat > Users List Subject: [External] Re: > Security Headers Implementation in Tomcat 6.x version > > Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: >> Hello Olaf, >> >> Thanks for your response! >> >> Based on your inputs, we are thinking to put Apache httpd in >> front of Tomcat 6 server, since our header configuration is going >> to be static. >> >> Can you please help us in identifying which version of Apache >> HTTP Server we can use for Tomcat 6 version? Also, it will be >> great if you can share some guidelines on how to implement Apache >> in front of Tomcat. > > For completeness sake I'd like to answer a few of these questions, > rather briefly. It seems that you're deep into implementing > Christopher's solution of compiling the newer filters for Tomcat > 6. > > Every current Apache httpd is fine, no version restriction. > Especially: Choose one that will get updates for quite a while, not > like the outdated Tomcat version you're running. Read on mod_proxy, > mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on > the connection between Apache and tomcat. Once you've set this up, > setting the headers is a matter of adding the "Header" directive to > httpd's configuration. I understand though, that setting up the > connection can be some task if you've never done that. Especially > if you're using https, and also refer to it in your webapp's code > (e.g. to validate client certs) - but as you give no clue you're > doing that, I'm assuming you don't and the setup would be easy. > > Anyway, feel free to utilize the newer code - I just wanted this > information to be in this thread as well. However, once you're done > with it: Utilize even more newer code and prepare to migrate away > from your discontinued tomcat version. > > Olaf > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If > you have received it in error, please notify the sender immediately > and delete the original. Any other use of the e-mail by you is > prohibited. Where allowed by local law, electronic communications > with Accenture and its affiliates, including e-mail and instant > messaging (including content), may be scanned by our systems for > the purposes of information security and assessment of internal > compliance with Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZOZqoAAoJEBzwKT+lPKRYVBAP/RotI8+S6dbEVYxNNJtwIoLT LzoBCrxF/VWva8CUqGNrWJNdjy4IUuwiB00zGYZpyXmvIVAjG8H+fq+pocYVTSLz 1q6ZiqLuw3yj2xottS2fBY3lQC3hQawGjP9IX+Y3/qq9lgGNificZ7ok2iBBhlrZ CiwiQSVuvpboawxYKl62kXB6c2pprzGqRZ1l6I+pcir/mMHJ6W0fYXrdxgEk8M9d aY7W0YRugVsCb
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shaik, On 6/8/17 1:18 AM, Shaik, Mohammad N. wrote: > Hi Olaf & Chris, > > By placing HTTPD 2.x server in front of Tomcat 6, is it possible to > hide Tomcat 6 from external world? I just don’t want people to find > out that I am using Tomcat 6, instead I want them to know that I am > using httpd 2.x server. Is this possible? > > I just need Apache HTTPD server to take care of headers and let > Tomcat do rest of the stuff (which it is already doing in my case). > Do I still need to configure anything other than headers in my > case? Not really. If you configure httpd -> Tomcat, then you can firewall-out everyone from your Tomcat server except the server running httpd. By default, httpd will return its own "Server" header so you don't even need to try to mask Tomcat's existence that way. - -chris > -Original Message- From: Olaf Kock > [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat > Users List Subject: [External] Re: > Security Headers Implementation in Tomcat 6.x version > > Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: >> Hello Olaf, >> >> Thanks for your response! >> >> Based on your inputs, we are thinking to put Apache httpd in >> front of Tomcat 6 server, since our header configuration is going >> to be static. >> >> Can you please help us in identifying which version of Apache >> HTTP Server we can use for Tomcat 6 version? Also, it will be >> great if you can share some guidelines on how to implement Apache >> in front of Tomcat. > > For completeness sake I'd like to answer a few of these questions, > rather briefly. It seems that you're deep into implementing > Christopher's solution of compiling the newer filters for Tomcat > 6. > > Every current Apache httpd is fine, no version restriction. > Especially: Choose one that will get updates for quite a while, not > like the outdated Tomcat version you're running. Read on mod_proxy, > mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on > the connection between Apache and tomcat. Once you've set this up, > setting the headers is a matter of adding the "Header" directive to > httpd's configuration. I understand though, that setting up the > connection can be some task if you've never done that. Especially > if you're using https, and also refer to it in your webapp's code > (e.g. to validate client certs) - but as you give no clue you're > doing that, I'm assuming you don't and the setup would be easy. > > Anyway, feel free to utilize the newer code - I just wanted this > information to be in this thread as well. However, once you're done > with it: Utilize even more newer code and prepare to migrate away > from your discontinued tomcat version. > > Olaf > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If > you have received it in error, please notify the sender immediately > and delete the original. Any other use of the e-mail by you is > prohibited. Where allowed by local law, electronic communications > with Accenture and its affiliates, including e-mail and instant > messaging (including content), may be scanned by our systems for > the purposes of information security and assessment of internal > compliance with Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZOZqoAAoJEBzwKT+lPKRYVBAP/RotI8+S6dbEVYxNNJtwIoLT LzoBCrxF/VWva8CUqGNrWJNdjy4IUuwiB00zGYZpyXmvIVAjG8H+fq+pocYVTSLz 1q6ZiqLuw3yj2xottS2fBY3lQC3hQawGjP9IX+Y3/qq9lgGNificZ7ok2iBBhlrZ CiwiQSVuvpboawxYKl62kXB6c2pprzGqRZ1l6I+pcir/mMHJ6W0fYXrdxgEk8M9d aY7W0YRugVsCbuAHqpQ+1Jr2jv3+Wme1LknTV9+ixmbHnu0UecoIhseWywDanrQD 1if8Rh/TtuT31wWKu7nn48llofjzmWwNRVjaFeNY9u/zjMkimcQ2B+shSuq81M5H BxcvutplbYhGWED2AS/G/OviNbC+JJiaDXgE+mrH31kNfH9WXS5DH+RZO0q1kxmy gXrBQ4M+XoZgloQQ4Y9kSRfEBeEccr3axtdo7FwpqJjCesLFSfCkUZgGHhOFuGAx JGG4zIu2JLAsNVXu76KSX7JNPvnWoqrYzmrV5
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Olaf & Chris, By placing HTTPD 2.x server in front of Tomcat 6, is it possible to hide Tomcat 6 from external world? I just don’t want people to find out that I am using Tomcat 6, instead I want them to know that I am using httpd 2.x server. Is this possible? I just need Apache HTTPD server to take care of headers and let Tomcat do rest of the stuff (which it is already doing in my case). Do I still need to configure anything other than headers in my case? Regards, Mohammad -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat Users List Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: > Hello Olaf, > > Thanks for your response! > > Based on your inputs, we are thinking to put Apache httpd in front of Tomcat > 6 server, since our header configuration is going to be static. > > Can you please help us in identifying which version of Apache HTTP Server we > can use for Tomcat 6 version? Also, it will be great if you can share some > guidelines on how to implement Apache in front of Tomcat. For completeness sake I'd like to answer a few of these questions, rather briefly. It seems that you're deep into implementing Christopher's solution of compiling the newer filters for Tomcat 6. Every current Apache httpd is fine, no version restriction. Especially: Choose one that will get updates for quite a while, not like the outdated Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the connection between Apache and tomcat. Once you've set this up, setting the headers is a matter of adding the "Header" directive to httpd's configuration. I understand though, that setting up the connection can be some task if you've never done that. Especially if you're using https, and also refer to it in your webapp's code (e.g. to validate client certs) - but as you give no clue you're doing that, I'm assuming you don't and the setup would be easy. Anyway, feel free to utilize the newer code - I just wanted this information to be in this thread as well. However, once you're done with it: Utilize even more newer code and prepare to migrate away from your discontinued tomcat version. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
Am 02.06.2017 um 07:43 schrieb Shaik, Mohammad N.: > Hi Chris, > > My actual requirement was to implement 7 HTTP headers, out of > which 4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers (Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not addressed in any of the filters available in Tomcat 7, 8 & 9 versions. > > Is there any way that we implement these 3 headers in Tomcat? Sure. Look at the implementation for the 4 headers you found. Add three more, recompile. Alternatively, add another filter just for your 3 headers. As you're creating a solution for you exclusively, you may even completely hard code the values and conditions you need. There's no need for configuration or making it "ready for prime time" as nobody else will use this code under different circumstances. Or write your own servlet filter for the webapps you deploy (no need to go app-server side when the webapps do what's required themselves). In those servlet filters, set those headers under conditions that you determine yourself. Or (again, sorry) utilize httpd's mod_headers. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Chris, My actual requirement was to implement 7 HTTP headers, out of which 4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers (Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not addressed in any of the filters available in Tomcat 7, 8 & 9 versions. Is there any way that we implement these 3 headers in Tomcat? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 01 June 2017 19:59 To: users@tomcat.apache.org Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote: > What should be name of the new JAR file that I would create for the > Filter classes? It doesn't matter. > There are multiple JAR files in lib folder. Does the name of these JAR > files have any significance? Not really. > My understanding is that as long as you have your code (.class > files) is present in any of the JAR files under "lib" folder, system > would get it. You don’t need to have a specific-named JAR files having > specific-named .class files. The .class files from all the jar files > under lib folder is considered as one big collection, and based on the > invoked classname its corresponding .class file gets executed from > that big code. Multiple JAR files with different names is setup just > for logical classification of classes. Please correct me if this is > not right. You are correct. There are problems if the same class exists in two separate JAR files, but that should not be a problem in the standard Tomcat installation, plus the JAR file that has a few (unique) classes from Tomcat 7 in there. Remember: Upgrade ASAP. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To: > users@tomcat.apache.org Subject: [External] Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: >> Can I simply use the JAR files from Tomcat 7 that contains executable >> code of filter classes (security headers), and put them into >> corresponding location in Tomcat 6? > > Definitely don't do that. But you could probably grab the compiled > .class files from Tomcat 7's binary distribution... just make sure you > have all of them. > > So, basically, create a new JAR file that contains only those Filter > classes (don't forget any inner classes that might be found in > separate .class files). > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you > have received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is prohibited. > Where allowed by local law, electronic communications with Accenture > and its affiliates, including e-mail and instant messaging (including > content), may be scanned by our systems for the purposes of > information security and assessment of internal compliance with > Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi 3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo /28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET 0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE /XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS HGUlc2U0LgTmSYLe+vj6 =oY0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote: > What should be name of the new JAR file that I would create for > the Filter classes? It doesn't matter. > There are multiple JAR files in lib folder. Does the name of these > JAR files have any significance? Not really. > My understanding is that as long as you have your code (.class > files) is present in any of the JAR files under "lib" folder, > system would get it. You don’t need to have a specific-named JAR > files having specific-named .class files. The .class files from all > the jar files under lib folder is considered as one big collection, > and based on the invoked classname its corresponding .class file > gets executed from that big code. Multiple JAR files with different > names is setup just for logical classification of classes. Please > correct me if this is not right. You are correct. There are problems if the same class exists in two separate JAR files, but that should not be a problem in the standard Tomcat installation, plus the JAR file that has a few (unique) classes from Tomcat 7 in there. Remember: Upgrade ASAP. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To: > users@tomcat.apache.org Subject: [External] Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: >> Can I simply use the JAR files from Tomcat 7 that contains >> executable code of filter classes (security headers), and put >> them into corresponding location in Tomcat 6? > > Definitely don't do that. But you could probably grab the compiled > .class files from Tomcat 7's binary distribution... just make sure > you have all of them. > > So, basically, create a new JAR file that contains only those > Filter classes (don't forget any inner classes that might be found > in separate .class files). > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If > you have received it in error, please notify the sender immediately > and delete the original. Any other use of the e-mail by you is > prohibited. Where allowed by local law, electronic communications > with Accenture and its affiliates, including e-mail and instant > messaging (including content), may be scanned by our systems for > the purposes of information security and assessment of internal > compliance with Accenture policy. > __ > > www.accenture.com > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi 3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo /28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET 0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE /XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS HGUlc2U0LgTmSYLe+vj6 =oY0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x version
Hi Chris, What should be name of the new JAR file that I would create for the Filter classes? There are multiple JAR files in lib folder. Does the name of these JAR files have any significance? My understanding is that as long as you have your code (.class files) is present in any of the JAR files under "lib" folder, system would get it. You don’t need to have a specific-named JAR files having specific-named .class files. The .class files from all the jar files under lib folder is considered as one big collection, and based on the invoked classname its corresponding .class file gets executed from that big code. Multiple JAR files with different names is setup just for logical classification of classes. Please correct me if this is not right. - Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To: users@tomcat.apache.org Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: > Can I simply use the JAR files from Tomcat 7 that contains executable > code of filter classes (security headers), and put them into > corresponding location in Tomcat 6? Definitely don't do that. But you could probably grab the compiled .class files from Tomcat 7's binary distribution... just make sure you have all of them. So, basically, create a new JAR file that contains only those Filter classes (don't forget any inner classes that might be found in separate .class files). - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5 T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3 AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv mD63/FtqNHglnYULpUTS =jN8f -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com
Re: Security Headers Implementation in Tomcat 6.x version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote: > Can I simply use the JAR files from Tomcat 7 that contains > executable code of filter classes (security headers), and put them > into corresponding location in Tomcat 6? Definitely don't do that. But you could probably grab the compiled .class files from Tomcat 7's binary distribution... just make sure you have all of them. So, basically, create a new JAR file that contains only those Filter classes (don't forget any inner classes that might be found in separate .class files). - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5 T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3 AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv mD63/FtqNHglnYULpUTS =jN8f -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Headers Implementation in Tomcat 6.x version
Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: > Hello Olaf, > > Thanks for your response! > > Based on your inputs, we are thinking to put Apache httpd in front of Tomcat > 6 server, since our header configuration is going to be static. > > Can you please help us in identifying which version of Apache HTTP Server we > can use for Tomcat 6 version? Also, it will be great if you can share some > guidelines on how to implement Apache in front of Tomcat. For completeness sake I'd like to answer a few of these questions, rather briefly. It seems that you're deep into implementing Christopher's solution of compiling the newer filters for Tomcat 6. Every current Apache httpd is fine, no version restriction. Especially: Choose one that will get updates for quite a while, not like the outdated Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the connection between Apache and tomcat. Once you've set this up, setting the headers is a matter of adding the "Header" directive to httpd's configuration. I understand though, that setting up the connection can be some task if you've never done that. Especially if you're using https, and also refer to it in your webapp's code (e.g. to validate client certs) - but as you give no clue you're doing that, I'm assuming you don't and the setup would be easy. Anyway, feel free to utilize the newer code - I just wanted this information to be in this thread as well. However, once you're done with it: Utilize even more newer code and prepare to migrate away from your discontinued tomcat version. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Headers Implementation in Tomcat 6.x version
Hi, 2017-05-31 13:37 GMT+03:00 Shaik, Mohammad N. < mohammad.n.sh...@accenture.com>: > > Hi Chris, > > Can I simply use the JAR files from Tomcat 7 that contains executable code of filter classes (security headers), and put them into corresponding location in Tomcat 6? I would not recommend that. You might easily hit variety of class loading problems. Just grab the java files and compile them against Tomcat/lib. Regards, Violeta > > Regards, > Mohammad > > -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: 30 May 2017 21:06 > To: users@tomcat.apache.org > Subject: Re: Security Headers Implementation in Tomcat 6.x version > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mohammad, > > On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > > Thanks for the valuable input, that helps!! We shall go with getting > > the source package of Tomcat 7, put them in Tomcat 6 and use the > > filters of Tomcat 7 in Tomcat 6. > > > > Can you please let me know from where I can get/download the source > > package of Tomcat 7? Also can you please share the location of the > > source package in Tomcat 6 so that we can replace it with the one from > > Tomcat 7? > > The source download for Tomcat 7 is in the same place all the other downloads are. > > You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. > > Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. > > A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. > > - -chris > > > -Original Message- From: Christopher Schultz > > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > > users@tomcat.apache.org Subject: Re: Security Headers Implementation > > in Tomcat 6.x version > > > > Mohammad, > > > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: > >> Based on your inputs, we are thinking to put Apache httpd in front of > >> Tomcat 6 server, since our header configuration is going to be > >> static. > > > > This might not be a bad idea for a number of reasons, but it is by no > > means required. > > > > You can download the Tomcat 7 source package and use the security > > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that > > actually requires Tomcat 7 to run. > > > >> Can you please help us in identifying which version of Apache HTTP > >> Server we can use for Tomcat 6 version? Also, it will be great if you > >> can share some guidelines on how to implement Apache in front of > >> Tomcat. > > All supported versions of Apache web server work with app supported > > versions of Tomcat (as well as Tomcat 6). You have several choices for > > how to connect them together, but the most straightforward is to use > > mod_proxy_http from httpd to Tomcat. > > Tomcat behaves exactly as it did before and requires no additional > > configuration unless you are moving TLS termination from Tomcat to > > httpd. If that's the case, there are many guides on the web as well as > > on Tomcat's Presentations Page[2] that document how to do that. > > > > Hope that helps, -chris > > > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > > http://tomcat.apache.org/presentations.html > > > > - > > > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > This message is for the designated recipient only and may contain > > privileged, proprietary, or otherwise confi
Re: Security Headers Implementation in Tomcat 6.x version
Hi, 2017-05-31 13:34 GMT+03:00 Shaik, Mohammad N. < mohammad.n.sh...@accenture.com>: > > Hi Chris, > > I got the source files (.java) of the filter classes that I was looking for. > > Should we compile the source file against the servlet jar file(s) present in "[Tomcat]\lib\" Yes. Compile them against the jar files located in Tomcat/lib. The servlet API classes will be loaded from Tomcat/lib a.k.a. common loader. More you can find here: http://tomcat.apache.org/tomcat-6.0-doc/class-loader-howto.html#Class_Loader_Definitions - Common — This class loader contains additional classes that are made visible to both Tomcat internal classes and to all web applications. - WebappX — A class loader is created for each web application that is deployed in a single Tomcat instance. > or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there are multiple JAR files in both these locations. How to locate the exact JAR file which should be used to compile source files? > > My understanding is that as long as you have your code (.class files) in any of the JAR files under "lib" folder, system would get it. You don’t need to have specific code in specific JAR file. Code from all the jar files under lib folder is considered as one big code, and based on the class invoked its corresponding code gets executed from that one big code. Please correct me if this is not right. > > Also, should we include the filters in web.xml file under "[Tomcat]\conf\" folder or under "WEB-INF" folder of my application? The web.xml located in Tomcat/conf is the "global" one. The configurations there will be applied to every web application deployed on the Tomcat instance. So if you need to apply this filter to all web apps then place the definition and configurations there. Otherwise you can provide the filter definition and configurations in the WEB-INF/web.xml for a particular web app. Regards, Violeta > > > Regards, > Mohammad > > -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: 30 May 2017 21:06 > To: users@tomcat.apache.org > Subject: Re: Security Headers Implementation in Tomcat 6.x version > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mohammad, > > On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > > Thanks for the valuable input, that helps!! We shall go with getting > > the source package of Tomcat 7, put them in Tomcat 6 and use the > > filters of Tomcat 7 in Tomcat 6. > > > > Can you please let me know from where I can get/download the source > > package of Tomcat 7? Also can you please share the location of the > > source package in Tomcat 6 so that we can replace it with the one from > > Tomcat 7? > > The source download for Tomcat 7 is in the same place all the other downloads are. > > You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. > > Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. > > A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. > > - -chris > > > -Original Message- From: Christopher Schultz > > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > > users@tomcat.apache.org Subject: Re: Security Headers Implementation > > in Tomcat 6.x version > > > > Mohammad, > > > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: > >> Based on your inputs, we are thinking to put Apache httpd in front of > >> Tomcat 6 server, since our header configuration is going to be > >> static. > > > > This might not be a bad idea for a number of reasons, but it is by no > > means required. > > > > You can download the Tomcat 7 source package and use the security > > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that > > actually requires Tomc
RE: Security Headers Implementation in Tomcat 6.x version
Hi Chris, Can I simply use the JAR files from Tomcat 7 that contains executable code of filter classes (security headers), and put them into corresponding location in Tomcat 6? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 30 May 2017 21:06 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > Thanks for the valuable input, that helps!! We shall go with getting > the source package of Tomcat 7, put them in Tomcat 6 and use the > filters of Tomcat 7 in Tomcat 6. > > Can you please let me know from where I can get/download the source > package of Tomcat 7? Also can you please share the location of the > source package in Tomcat 6 so that we can replace it with the one from > Tomcat 7? The source download for Tomcat 7 is in the same place all the other downloads are. You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > users@tomcat.apache.org Subject: Re: Security Headers Implementation > in Tomcat 6.x version > > Mohammad, > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: >> Based on your inputs, we are thinking to put Apache httpd in front of >> Tomcat 6 server, since our header configuration is going to be >> static. > > This might not be a bad idea for a number of reasons, but it is by no > means required. > > You can download the Tomcat 7 source package and use the security > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that > actually requires Tomcat 7 to run. > >> Can you please help us in identifying which version of Apache HTTP >> Server we can use for Tomcat 6 version? Also, it will be great if you >> can share some guidelines on how to implement Apache in front of >> Tomcat. > All supported versions of Apache web server work with app supported > versions of Tomcat (as well as Tomcat 6). You have several choices for > how to connect them together, but the most straightforward is to use > mod_proxy_http from httpd to Tomcat. > Tomcat behaves exactly as it did before and requires no additional > configuration unless you are moving TLS termination from Tomcat to > httpd. If that's the case, there are many guides on the web as well as > on Tomcat's Presentations Page[2] that document how to do that. > > Hope that helps, -chris > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > http://tomcat.apache.org/presentations.html > > - > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you > have received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is prohibited. > Where allowed by local law, electronic communications with Accenture > and its affiliates, including e-mail and instant messaging (including > content), may be scanned by our systems for the purposes of > information security and assessment of internal compliance with > Accenture policy. > __ > > > www.accenture.com > > --
RE: Security Headers Implementation in Tomcat 6.x version
Hi Chris, I got the source files (.java) of the filter classes that I was looking for. Should we compile the source file against the servlet jar file(s) present in "[Tomcat]\lib\" or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there are multiple JAR files in both these locations. How to locate the exact JAR file which should be used to compile source files? My understanding is that as long as you have your code (.class files) in any of the JAR files under "lib" folder, system would get it. You don’t need to have specific code in specific JAR file. Code from all the jar files under lib folder is considered as one big code, and based on the class invoked its corresponding code gets executed from that one big code. Please correct me if this is not right. Also, should we include the filters in web.xml file under "[Tomcat]\conf\" folder or under "WEB-INF" folder of my application? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 30 May 2017 21:06 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > Thanks for the valuable input, that helps!! We shall go with getting > the source package of Tomcat 7, put them in Tomcat 6 and use the > filters of Tomcat 7 in Tomcat 6. > > Can you please let me know from where I can get/download the source > package of Tomcat 7? Also can you please share the location of the > source package in Tomcat 6 so that we can replace it with the one from > Tomcat 7? The source download for Tomcat 7 is in the same place all the other downloads are. You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > users@tomcat.apache.org Subject: Re: Security Headers Implementation > in Tomcat 6.x version > > Mohammad, > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: >> Based on your inputs, we are thinking to put Apache httpd in front of >> Tomcat 6 server, since our header configuration is going to be >> static. > > This might not be a bad idea for a number of reasons, but it is by no > means required. > > You can download the Tomcat 7 source package and use the security > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that > actually requires Tomcat 7 to run. > >> Can you please help us in identifying which version of Apache HTTP >> Server we can use for Tomcat 6 version? Also, it will be great if you >> can share some guidelines on how to implement Apache in front of >> Tomcat. > All supported versions of Apache web server work with app supported > versions of Tomcat (as well as Tomcat 6). You have several choices for > how to connect them together, but the most straightforward is to use > mod_proxy_http from httpd to Tomcat. > Tomcat behaves exactly as it did before and requires no additional > configuration unless you are moving TLS termination from Tomcat to > httpd. If that's the case, there are many guides on the web as well as > on Tomcat's Presentations Page[2] that document how to do that. > > Hope that helps, -chris > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > http://tomcat.apache.org/presentations.html > > - > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is fo
Re: Security Headers Implementation in Tomcat 6.x version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > Thanks for the valuable input, that helps!! We shall go with > getting the source package of Tomcat 7, put them in Tomcat 6 and > use the filters of Tomcat 7 in Tomcat 6. > > Can you please let me know from where I can get/download the > source package of Tomcat 7? Also can you please share the location > of the source package in Tomcat 6 so that we can replace it with > the one from Tomcat 7? The source download for Tomcat 7 is in the same place all the other downloads are. You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > users@tomcat.apache.org Subject: Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: >> Based on your inputs, we are thinking to put Apache httpd in >> front of Tomcat 6 server, since our header configuration is going >> to be static. > > This might not be a bad idea for a number of reasons, but it is by > no means required. > > You can download the Tomcat 7 source package and use the security > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there > that actually requires Tomcat 7 to run. > >> Can you please help us in identifying which version of Apache >> HTTP Server we can use for Tomcat 6 version? Also, it will be >> great if you can share some guidelines on how to implement Apache >> in front of Tomcat. > All supported versions of Apache web server work with app > supported versions of Tomcat (as well as Tomcat 6). You have > several choices for how to connect them together, but the most > straightforward is to use mod_proxy_http from httpd to Tomcat. > Tomcat behaves exactly as it did before and requires no additional > configuration unless you are moving TLS termination from Tomcat to > httpd. If that's the case, there are many guides on the web as well > as on Tomcat's Presentations Page[2] that document how to do that. > > Hope that helps, -chris > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > http://tomcat.apache.org/presentations.html > > - > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If > you have received it in error, please notify the sender > immediately and delete the original. Any other use of the e-mail by > you is prohibited. Where allowed by local law, electronic > communications with Accenture and its affiliates, including e-mail > and instant messaging (including content), may be scanned by our > systems for the purposes of information security and assessment of > internal compliance with Accenture policy. > __ > > > www.accenture.com > > - > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLZFGAAoJEBzwKT+lPKRYFlEQAMWx2/ngj4vEeoQfZU4rRFlH 1Mscn61MUFJdrVBFkVF+NR86m8clUt8Kw1MKZNGexMXcKjrIll
RE: Security Headers Implementation in Tomcat 6.x version
Hello Chris, Thanks for the valuable input, that helps!! We shall go with getting the source package of Tomcat 7, put them in Tomcat 6 and use the filters of Tomcat 7 in Tomcat 6. Can you please let me know from where I can get/download the source package of Tomcat 7? Also can you please share the location of the source package in Tomcat 6 so that we can replace it with the one from Tomcat 7? Regards, Mohammad -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: > Based on your inputs, we are thinking to put Apache httpd in front of > Tomcat 6 server, since our header configuration is going to be static. This might not be a bad idea for a number of reasons, but it is by no means required. You can download the Tomcat 7 source package and use the security filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that actually requires Tomcat 7 to run. > Can you please help us in identifying which version of Apache HTTP > Server we can use for Tomcat 6 version? Also, it will be great if you > can share some guidelines on how to implement Apache in front of > Tomcat. All supported versions of Apache web server work with app supported versions of Tomcat (as well as Tomcat 6). You have several choices for how to connect them together, but the most straightforward is to use mod_proxy_http from httpd to Tomcat. Tomcat behaves exactly as it did before and requires no additional configuration unless you are moving TLS termination from Tomcat to httpd. If that's the case, there are many guides on the web as well as on Tomcat's Presentations Page[2] that document how to do that. Hope that helps, - -chris [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] http://tomcat.apache.org/presentations.html -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLD3hAAoJEBzwKT+lPKRYPh0P/RiGWVDs8c/PsFdC8VmU8fBB V+EqkBd3SMeMK9l/2NtHW+MK/5BkkB5/2ebZiivCBYVTkUi4jaqnBvy981EJFcFb vxovSsFhkhAPnr2DtZcg98wkTJ5dwT7ze50Cx/VBeXVlZD8n/nh+Msv5a1Fab0qI dTzTGUwAguFwVZHkZX16LefqHvbvC6R5lJDCkqdtWx51KbDB4fY2TdVhzGK1vCEk Vgrg4uEhjrkS/d6YgU4VWY8gHF2202DbmGPyZjIlh8l3R9bFWUE5NEg0AokOAAxR AySanDW0J1QNKjm11KQuwynDVTqLGu9u9JBxKYsqsZsjjzSIpHFzVislI/lIbKBi RKb1m+Hsfm0LkmDX+9N47EKXG5B6HOenUjWnjy2BCBnkINPXSbGOPXrG4028hSmo NlPWGZTFSJnlcE4mLTxHZBQjPwgg2pmn/Ck4LsP9PFJITC3/2jtCpnwCv29pcxx8 ILG8On65M9uA2AdnhGucNvSpV5nsfPujhBQtB44A9Xd9V3ssdqn+hSgorZ4aMY7U XPGyiUV985D+9XKkaHY0gBWjLdEBRZisWV1k66QjAWXC3ekdxGQzyV47RehwRueQ 6Zcc5MuH1F/3okJpXlxSwnpwfLyfZZPjZrhVoyKMxAWj2ozkIqPcfcSw8cYxN5hr Fx+sOmqCwHww762nVlnZ =03C1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Headers Implementation in Tomcat 6.x version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mohammad, On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: > Based on your inputs, we are thinking to put Apache httpd in front > of Tomcat 6 server, since our header configuration is going to be > static. This might not be a bad idea for a number of reasons, but it is by no means required. You can download the Tomcat 7 source package and use the security filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that actually requires Tomcat 7 to run. > Can you please help us in identifying which version of Apache HTTP > Server we can use for Tomcat 6 version? Also, it will be great if > you can share some guidelines on how to implement Apache in front > of Tomcat. All supported versions of Apache web server work with app supported versions of Tomcat (as well as Tomcat 6). You have several choices for how to connect them together, but the most straightforward is to use mod_proxy_http from httpd to Tomcat. Tomcat behaves exactly as it did before and requires no additional configuration unless you are moving TLS termination from Tomcat to httpd. If that's the case, there are many guides on the web as well as on Tomcat's Presentations Page[2] that document how to do that. Hope that helps, - -chris [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] http://tomcat.apache.org/presentations.html -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLD3hAAoJEBzwKT+lPKRYPh0P/RiGWVDs8c/PsFdC8VmU8fBB V+EqkBd3SMeMK9l/2NtHW+MK/5BkkB5/2ebZiivCBYVTkUi4jaqnBvy981EJFcFb vxovSsFhkhAPnr2DtZcg98wkTJ5dwT7ze50Cx/VBeXVlZD8n/nh+Msv5a1Fab0qI dTzTGUwAguFwVZHkZX16LefqHvbvC6R5lJDCkqdtWx51KbDB4fY2TdVhzGK1vCEk Vgrg4uEhjrkS/d6YgU4VWY8gHF2202DbmGPyZjIlh8l3R9bFWUE5NEg0AokOAAxR AySanDW0J1QNKjm11KQuwynDVTqLGu9u9JBxKYsqsZsjjzSIpHFzVislI/lIbKBi RKb1m+Hsfm0LkmDX+9N47EKXG5B6HOenUjWnjy2BCBnkINPXSbGOPXrG4028hSmo NlPWGZTFSJnlcE4mLTxHZBQjPwgg2pmn/Ck4LsP9PFJITC3/2jtCpnwCv29pcxx8 ILG8On65M9uA2AdnhGucNvSpV5nsfPujhBQtB44A9Xd9V3ssdqn+hSgorZ4aMY7U XPGyiUV985D+9XKkaHY0gBWjLdEBRZisWV1k66QjAWXC3ekdxGQzyV47RehwRueQ 6Zcc5MuH1F/3okJpXlxSwnpwfLyfZZPjZrhVoyKMxAWj2ozkIqPcfcSw8cYxN5hr Fx+sOmqCwHww762nVlnZ =03C1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Security Headers Implementation in Tomcat 6.x version
Hello Olaf, Thanks for your response! Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 server, since our header configuration is going to be static. Can you please help us in identifying which version of Apache HTTP Server we can use for Tomcat 6 version? Also, it will be great if you can share some guidelines on how to implement Apache in front of Tomcat. Regards, Mohammad Nayeem -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: 29 May 2017 13:53 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.: > We are using Tomcat 6.x version and we need to implement the following > headers in our environment. > > Headers: > 1) Strict-Transport-Security > 2) Content-Security-Policy > > 7) X-Robots-Tag > > When I checked the Tomcat 6 version webpage > (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D6.0-2Ddoc_config_filter.html&d=DwIC-g&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU&m=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU&s=MmEr4IILdgkhxtcFHmAb7ZO1pGl9B2Gek5dFuSCIBKw&e= > ), I don't see any filters that implement any these headers. Some of them > are available in Tomcat 7 version webpage > (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D7.0-2Ddoc_config_filter.html&d=DwIC-g&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU&m=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU&s=aSZ5lgpIY-aPi2TSYp6DDNykQA9QFD8ImYaIKp70gUA&e= > ), but we cannot upgrade to Tomcat 7.x version due to some constraints. > > Can you kindly guide me how to implement these headers in Tomcat 6.x version. > All your comments on this topic are welcome. As tomcat 6 is solid out of service for almost half a year already (see https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_tomcat-2D60-2Deol.html&d=DwIC-g&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU&m=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU&s=4Z8PWPmO-QMztdwYP9hAotZazIQFlsSUO5SfDxrVjG4&e= ), you're between a rock and a hard place: Invest in a platform that's a potential security threat (it won't get any more updates) or invest in an upgrade. That out of the way, for most cases, just have an Apache httpd in front of tomcat and use its magic to tag most of your headers. For many it will be static configuration. If there's anything dynamic that you need, implement a servlet filter that just does the job. Hardcode it - you don't need a lot of configuration if you come up with a solution that's just used within your premises. If you have multiple web applications that all need the same filter, deploy the filter on all of them. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Headers Implementation in Tomcat 6.x version
Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.: > We are using Tomcat 6.x version and we need to implement the following > headers in our environment. > > Headers: > 1) Strict-Transport-Security > 2) Content-Security-Policy > > 7) X-Robots-Tag > > When I checked the Tomcat 6 version webpage > (https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html), I don't see > any filters that implement any these headers. Some of them are available in > Tomcat 7 version webpage > (https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html), but we cannot > upgrade to Tomcat 7.x version due to some constraints. > > Can you kindly guide me how to implement these headers in Tomcat 6.x version. > All your comments on this topic are welcome. As tomcat 6 is solid out of service for almost half a year already (see http://tomcat.apache.org/tomcat-60-eol.html), you're between a rock and a hard place: Invest in a platform that's a potential security threat (it won't get any more updates) or invest in an upgrade. That out of the way, for most cases, just have an Apache httpd in front of tomcat and use its magic to tag most of your headers. For many it will be static configuration. If there's anything dynamic that you need, implement a servlet filter that just does the job. Hardcode it - you don't need a lot of configuration if you come up with a solution that's just used within your premises. If you have multiple web applications that all need the same filter, deploy the filter on all of them. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to implement Security Headers in Tomcat 6
If the technology is java/j2ee then you can implements some sort of servlet filter where you can manipulate the HTTP response to add these headers for each outgoing response. I believe other platforms like .Net should also support similar feature to customize the request and response objects. On Mon, May 29, 2017 at 12:28 PM, Shaik, Mohammad N. < mohammad.n.sh...@accenture.com> wrote: > Hello, > > Can someone please let me know if the following headers are compatible > with Tomcat 6.x version? If yes, then how do we enable them? > > Headers: > 1) Strict-Transport-Security > 2) Content-Security-Policy > 3) Public-Key-Pins > 4) X-Frame-Options > 5) X-XSS-Protection > 6) X-Content-Type-Options > 7) X-Robots-Tag > > > Kind Regards, > Mohammad Nayeem > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. Where allowed > by local law, electronic communications with Accenture and its affiliates, > including e-mail and instant messaging (including content), may be scanned > by our systems for the purposes of information security and assessment of > internal compliance with Accenture policy. > > __ > > www.accenture.com >
How to implement Security Headers in Tomcat 6
Hello, Can someone please let me know if the following headers are compatible with Tomcat 6.x version? If yes, then how do we enable them? Headers: 1) Strict-Transport-Security 2) Content-Security-Policy 3) Public-Key-Pins 4) X-Frame-Options 5) X-XSS-Protection 6) X-Content-Type-Options 7) X-Robots-Tag Kind Regards, Mohammad Nayeem This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com
Security Headers Implementation in Tomcat 6.x version
Hello, We are using Tomcat 6.x version and we need to implement the following headers in our environment. Headers: 1) Strict-Transport-Security 2) Content-Security-Policy 3) Public-Key-Pins 4) X-Frame-Options 5) X-XSS-Protection 6) X-Content-Type-Options 7) X-Robots-Tag When I checked the Tomcat 6 version webpage (https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html), I don't see any filters that implement any these headers. Some of them are available in Tomcat 7 version webpage (https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html), but we cannot upgrade to Tomcat 7.x version due to some constraints. Can you kindly guide me how to implement these headers in Tomcat 6.x version. All your comments on this topic are welcome. Kind Regards, Mohammad Nayeem This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. __ www.accenture.com