Re: getting some cookie & security related issues.
On 30/11/17 08:25, Naga Ramesh wrote: > I have tried this way (secure="true") also, but application is working fine > but we are unable to login the application & getting the oops session > expired error message, so I have reverted this parameter. OK. For this to work you need Tomcat to be able to distinguish whether the request it is processing was sent by the user over HTTP or HTTPS. You have three options. 1. Use AJP for the AWS ELB to Tomcat connection. 2. Configure Tomcat with two HTTP connectors. Currently you have: with AWS ELB proxing HTTP (port 80) and HTTPS (port 443) over HTTP to port 8080 on Tomcat. For this option you need this: You then configure AWS - to proxy HTTP (port 80) over HTTP to port 8080 on Tomcat - to proxy HTTPS (port 443) over HTTP to port 8443 on Tomcat Depending on how smart AWS ELB is, you might need to add scheme="https" to the second connector. 3. Configure Tomcat to use the SSLValve and AWS to inject the necessary HTTP headers into the proxied request. My recommendation is that you use option 2. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: getting some cookie & security related issues.
Thanks Olaf.. There's one piece of information that looks suspicious to me: HTTPS from AWS to Tomcat, port 8080. While it's possible that you're doing this, 8080 is typically used to handle http requests, while 8443 would be a default choice in the 8000+ range of ports for handling https. Please confirm or deny that you have reconfigured a secure connector to listen to port 8080, otherwise it's not clear that you're indeed configuring the communication from AWS to Tomcat as an encrypted one. User-https request --->AWS-ELB-443 & here we have applied the SSL &443 redirect to 8080 of tomcat(non SSL) To preempt the next mail and give more information upfront: If you indeed have tomcat listen on 8080 for http, it won't have a clue that this connection is secure, because it doesn't know anything about the original connection. You can fake the knowledge about the connection to be secure with the connector attribute secure="true", but you'll have to make sure that nobody can reach your tomcat through any other way than through your load balancer when you do. Another option is to use AJP for the communication between AWS and Tomcat (I don't know if this is supported on the AWS-ELB side). While this protocol is unencrypted, it does forward the http/https information from the original connection I have tried this way (secure="true") also, but application is working fine but we are unable to login the application & getting the oops session expired error message, so I have reverted this parameter. Regards, Naga Ramesh R 1974 -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: Thursday, November 30, 2017 1:33 PM To: users@tomcat.apache.org Subject: Re: getting some cookie & security related issues. On 30.11.2017 08:52, Naga Ramesh wrote: > User > AWS > Tomcat >(HTTPS)(HTTPS) > > User-HTTPS request> AWS-ELB(https-443) re-direct to tomcat > connector > port-8080 > > What is the (expected) path when the user makes an HTTPS request? Is it: > > User > AWS > Tomcat >(HTTPS)(HTTPS) There's one piece of information that looks suspicious to me: HTTPS from AWS to Tomcat, port 8080. While it's possible that you're doing this, 8080 is typically used to handle http requests, while 8443 would be a default choice in the 8000+ range of ports for handling https. Please confirm or deny that you have reconfigured a secure connector to listen to port 8080, otherwise it's not clear that you're indeed configuring the communication from AWS to Tomcat as an encrypted one. To preempt the next mail and give more information upfront: If you indeed have tomcat listen on 8080 for http, it won't have a clue that this connection is secure, because it doesn't know anything about the original connection. You can fake the knowledge about the connection to be secure with the connector attribute secure="true", but you'll have to make sure that nobody can reach your tomcat through any other way than through your load balancer when you do. Another option is to use AJP for the communication between AWS and Tomcat (I don't know if this is supported on the AWS-ELB side). While this protocol is unencrypted, it does forward the http/https information from the original connection User->AWS Please clarify your situation. Thanks, Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: getting some cookie & security related issues.
On 30.11.2017 08:52, Naga Ramesh wrote: User > AWS > Tomcat (HTTPS)(HTTPS) User-HTTPS request> AWS-ELB(https-443) re-direct to tomcat connector port-8080 What is the (expected) path when the user makes an HTTPS request? Is it: User > AWS > Tomcat (HTTPS)(HTTPS) There's one piece of information that looks suspicious to me: HTTPS from AWS to Tomcat, port 8080. While it's possible that you're doing this, 8080 is typically used to handle http requests, while 8443 would be a default choice in the 8000+ range of ports for handling https. Please confirm or deny that you have reconfigured a secure connector to listen to port 8080, otherwise it's not clear that you're indeed configuring the communication from AWS to Tomcat as an encrypted one. To preempt the next mail and give more information upfront: If you indeed have tomcat listen on 8080 for http, it won't have a clue that this connection is secure, because it doesn't know anything about the original connection. You can fake the knowledge about the connection to be secure with the connector attribute secure="true", but you'll have to make sure that nobody can reach your tomcat through any other way than through your load balancer when you do. Another option is to use AJP for the communication between AWS and Tomcat (I don't know if this is supported on the AWS-ELB side). While this protocol is unencrypted, it does forward the http/https information from the original connection User->AWS Please clarify your situation. Thanks, Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: getting some cookie & security related issues.
Hi Mark, Please find my comments here & PFA diagram. User > AWS > Tomcat (HTTPS)(HTTPS) User-HTTPS request> AWS-ELB(https-443) re-direct to tomcat connector port-8080 What is the (expected) path when the user makes an HTTPS request? Is it: User > AWS > Tomcat (HTTPS)(HTTPS) Regards, Naga Ramesh -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, November 30, 2017 1:06 PM To: Tomcat Users List Subject: Re: getting some cookie & security related issues. On 30/11/2017 06:53, Naga Ramesh wrote: > Team, > > We are facing some issues on security level testing time, so please > check the below mentioned issues and suggest me the changes on tomcat > level ASAP. > > 1. *Session Cookie do not contain secure attribute:* for this > what are all the changes I need to take are on tomcat level > > 2. *Site susceptible to Man-In-The-Middle HTTPS Downgrade > attack*: Here we have used the AWS ELB with SSL and mapped to the > tomcat instance, but in testing time instance went to http instead > of Https, so what are all the changes need to take care for this > issues on tomcat level. > > Versions: > Tomcat version: tomcat-8.0.33 > Java Version: 1.8.0_60-b27 > > And also attached the server.xml, web.xml & context file of tomcat/conf. Thank you for providing the version and configuration details. To answer your questions we need to know a little more information. What is the (expected) path when the user makes an HTTP request? Is it: User > AWS > Tomcat (HTTP)(HTTP) What is the (expected) path when the user makes an HTTPS request? Is it: User > AWS > Tomcat (HTTPS)(HTTP) Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: getting some cookie & security related issues.
On 30/11/2017 06:53, Naga Ramesh wrote: > Team, > > We are facing some issues on security level testing time, so please > check the below mentioned issues and suggest me the changes on tomcat > level ASAP. > > 1. *Session Cookie do not contain secure attribute:* for this > what are all the changes I need to take are on tomcat level > > 2. *Site susceptible to Man-In-The-Middle HTTPS Downgrade > attack*: Here we have used the AWS ELB with SSL and mapped to the > tomcat instance, but in testing time instance went to http instead > of Https, so what are all the changes need to take care for this > issues on tomcat level. > > Versions: > Tomcat version:tomcat-8.0.33 > Java Version: 1.8.0_60-b27 > > And also attached the server.xml, web.xml & context file of tomcat/conf. Thank you for providing the version and configuration details. To answer your questions we need to know a little more information. What is the (expected) path when the user makes an HTTP request? Is it: User > AWS > Tomcat (HTTP)(HTTP) What is the (expected) path when the user makes an HTTPS request? Is it: User > AWS > Tomcat (HTTPS)(HTTP) Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org