Re: security headers

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alejandro,

On 11/3/17 5:54 PM, Alejandro Vargas M. wrote:
> You can help with an example of this url-rewrite to add this
> header,

The url-rewrite user manual is quite comprehensive, including many
examples. I'm sure you can figure it out.

- -chris

> On 11/01/2017 02:03 PM, Christopher Schultz wrote: Alejandro,
> 
> On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:
 Hello,
 
 I recently used on web.xml
 
  httpHeaderSecurity 
 org.apache.catalina.filters.HttpHeaderSecurityFilter<
/fi
>
 
lter-class>
 true 
 
 
 httpHeaderSecurity 
 /* 
 
 to enable some security headers, but it won't enable Content 
 Security Policy header. Is there anyway to enable Content
 Security Policy at top server level???
> What were you expecting that Filter to generate for you? A header 
> which disables everything? Not terribly useful.
> 
> My recommendation would be to use something like url-rewrite[1] to
> add headers to every outgoing response. url-rewrite has very
> similar capabilities to httpd's mod_headers (and much more, of
> course).
> 
> -chris
> 
> [1] http://tuckey.org/urlrewrite/
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
> --
> 
> 
> 
> 
> Alejandro Vargas Mayorga /*Gerente Desarrollo C.A. & C.*/ *Tel.
> 506- 7232-3366* *Email:**alejandro.var...@kymsolutions.com* 
> * 
> **www.kymsolutions.com* * Visite
> nuestra aula virtual! *
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln90yQACgkQHPApP6U8
pFiy9xAAyLtluQed3UzQBa6CkoQCAWAL8rQkXiD2CVPaGRrH+cl79M6JzOoZxDXw
L+9hmwVYZhDljctwmsmP4jzjJSib8A/VwLoGEakoz1T6XvECuBt6+E8vb98e63Lu
EAeZcLPUQnluGsDdZmi5hIyS55/1L0Pr0Ef/3ndhmg6a8wKnHcwTaep+idrS73aT
jUs7YQzY+x0+ZvSfpJMbuGP3aqaYA0D/BRKYY9PAfK1pZsYypyinyNljGDe1Ks2I
NHs+KPX7h2QwF/hGaW7ERB9urLCz76cO2Q0nWTvXDuO5GrBbw3ADzouPxRYC1JF2
z+x94gK22pP0eQP+P+SabyDwEbhZj2MUdlK0XsHsMnCDSExzxCIf1ZG/l/fZ6Dk0
2ru1frNEBOTO/W5jqAzRHijvkEmNXzRKQuoCRMI28ybLI795qHn21RqRnzmAvhxg
zyLqBrhq/Oyt3SUE+U0xYscABgjBV1a46lDyw4S3f/q4CK0lmgCTmftr+nfqodb6
75+RIL24jQYah0CQMryyS1tWP8zDprk1FO6zxam3owUoxOeB4YLz9t0Iv1UMVReT
vfhQBulADm7rECegoRoDvDGII9sYqaRPqn2VN8bpFPPtQJPLghisZC9+XRXOy8Qr
3mDPEkQNRSfkkmZD6yVNU0lHccfidrmAgpLm5nYU00R4pEPOxtI=
=USq0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: security headers

[Alejandro Vargas M.]

You can help with an example of this url-rewrite to add this header,

Please,

Thanks in advance.


On 11/01/2017 02:03 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alejandro,

On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:

Hello,

I recently used on web.xml

 httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
lter-class>

  true 

 httpHeaderSecurity
/* 

to enable some security headers, but it won't enable Content
Security Policy header. Is there anyway to enable Content Security
Policy at top server level???

What were you expecting that Filter to generate for you? A header
which disables everything? Not terribly useful.

My recommendation would be to use something like url-rewrite[1] to add
headers to every outgoing response. url-rewrite has very similar
capabilities to httpd's mod_headers (and much more, of course).

- -chris

[1] http://tuckey.org/urlrewrite/
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8
pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
//iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+
Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM
ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58
wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8
G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8=
=j1H+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




--




Alejandro Vargas Mayorga
/*Gerente Desarrollo C.A. & C.*/
*Tel. 506- 7232-3366*
*Email:**alejandro.var...@kymsolutions.com* 
*

**www.kymsolutions.com* *
Visite nuestra aula virtual! *

Re: security headers

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 11/2/17 9:35 AM, André Warnier (tomcat) wrote:
> You seem to be responding on the wrong thread, but here are some
> answers anyway (will save Christopher some typing)

(I was trying not to pollute this hijacked thread.)


> When tomcat starts, it will check if APR is available. If yes,
> tomcat will use it, because it is probably a bit faster than the
> Java alternative. If APR is not available, tomcat will use the
> standard Java functions, which are maybe a bit slower.

By many orders of magnitude[1]. If you are terminating TLS at Tomcat,
you'll definitely want to use APR or NIO+OpenSSL (which requires
Tomcat 8.5 or Tomcat 9.0). Or if you only have very minimal traffic.

- -chris

[1] https://schd.ws/hosted_files/apachecon2017/93/TomcatOpenSSL.pdf

See slides 15-17
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln7cg0dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjxGQ/9F2+Z2Lx6hnRv+gSd
0gCw/Is3QzRU6YSo7msa2hHMsZjDzeCBFBP6+kR+HDGY5iQY3aPXobJel054m/WT
xWi8/mWZdONgWZW6JXkpM0zjKzUnAlkP9sfZFY0HqlgUZ6bjGuw8588oXFfnATGb
jb0kQN56hypFub5dw9946RPZHrMc2yxBD62IVicEPGz9MBbKm5LRRbldxZtxmgOS
zmTuxLi0N0Zy8BhFDOX/VIcokBdzIlTr1y7PxUGbPpMBJxT2ws82etS2Nod1BuIu
MKd7th2fgvowmf3w8Eyk00r+yKxCbHvENfdbwiHMIH3n4PhGQ/GVXmdpe4f8ATKU
JyWQzj32WibTvwtSAPvK9XYBWwdgpCxeSMTXaed8pCyKNAr/yPanAzD66wBUCd/N
fXFbJLaxpq+2IxfcHYBrceiCT4SQ2//ghD3T4QTVwHkZ6zx1wsV8eBj15WVuGjau
j/REfglgfaCLWb/HSrLNCwGirXxbyQ6fS2hGfmgHfDP+n6reUXZGEeKw5t4asbfi
VsxGvKkFoTcGkG0OQDu4XW96vLHV2hXiOooY/8FN7+zWhT4Spb6TajWU/wUWbEbg
Cp/V6fv2iVDNiz69zqph/EAQ4LMwThi5utMrPGzyXVMRLqRKSoPLl7lap0hYathj
mr2PQWH5WVgSAVh6GW3jThWYHXE=
=QZ/g
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: security headers

[Cheltenham, Chris]

Yes that was the wrong thread but thank you.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Thursday, November 2, 2017 9:36 AM
To: users@tomcat.apache.org
Subject: Re: security headers

You seem to be responding on the wrong thread, but here are some answers 
anyway (will save Christopher some typing)

On 02.11.2017 13:55, Cheltenham, Chris wrote:
> Mr. Shultz,
>
> I really appreciate your detailed answers.
> Helps me out a lot.
>
> I am now thinking big picture because my application does not require 
> APR..
>
> May I ask this , what exactly does APR give me for apache-tomcat?

APR stands for "Apache Portable Run-time".
Here is one explanation :

It is a software library, containing a series of functions which are often 
used by Apache Foundation programs of all kinds (not only tomcat), 
particularly in what regards network interfaces and protocols.
The people who make this APR, make sure that it is available for many 
platforms (Windows, Liux etc.), and that it is really optimised for each of 
these different platforms.

To access the network, tomcat can do it in 2 different ways :
1) by using standard Java functions, which always work, but are not 
particularly optimised for any platform or
2) if APR is available, then tomcat can use instead, some calls which exist 
in the APR library, and which may be more optimised fo the current platform 
on which it is running

When tomcat starts, it will check if APR is available. If yes, tomcat will 
use it, because it is probably a bit faster than the Java alternative.
If APR is not available, tomcat will use the standard Java functions, which 
are maybe a bit slower.
And just to let you know that, it will print a friendly message to the log, 
to let you know that maybe this is not the most optimal solution, in terms 
of ultimate tomcat performance.  But this is just an informational message, 
and you can decide to ignore it, and run tomcat anyway without APR (which 
many people do, and most of the time they will not notice the difference).

There is a secondary effect which needs to be considered when using SSL 
(HTTPS) :
When tomcat finds and uses APR, it uses APR functions to access SSL sockets. 
And these APR functions rely on the underlying presence of SSL libraries 
provided by another package, named OpenSSL. These OpenSSL libraries require 
a particular format for the SSL keys and key stores.
When tomcat does not find APR, it will use the builtin Java functions for 
SSL. And these builtin functions require another format for the SSL keys and 
key stores.
So the parameters used in the  elements are a bit different in 
each case.
This is well explained in the tomcat on-line documentation.

>
> I am thinking to scrap the whole APR install.
>
> The reason I am trying to install it is because of my anal need to
> have clean logs.

I won't even try to interpret this..

> I can’t stand any messages suggesting or recommending that I do this
> or that.

They are just friendly messages, like the Amazon "other readers who have 
purchased this book, have also liked this : ... "

> I have always tried to accommodate those recommendations.

Ah, ok. I thought you could not stand them ?

> However, in this case it may be the best to ignore the catalane log
> message saying that I should install APR.
>

catalane ? that's been quite a bit in the news lately. But we're quite 
apolitical here, and so is tomcat usually.


>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Wednesday, November 1, 2017 4:04 PM
> To: users@tomcat.apache.org
> Subject: Re: security headers
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alejandro,
>
> On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:
>> Hello,
>>
>> I recently used on web.xml
>>
>>  httpHeaderSecurity
>> org.apache.catalina.filters.HttpHeaderSecurityFilter lter-class>
>>
>>   true 
>>
>>  httpHeaderSecurity
>> /* 
>>
>> to enable some security headers, but it won't enable Content Security
>> Policy header. Is there anyway to enable Content Security Policy at
>> top server level???
>
> What were you expecting that Filter to generate for you? A header which
> disables everything? Not terribly useful.
>
> My recommendation would be to use something like url-rewrite[1] to add
> headers to every outgoing response. url-rewrite has very s

Re: security headers

[tomcat]

You seem to be responding on the wrong thread, but here are some answers anyway
(will save Christopher some typing)

On 02.11.2017 13:55, Cheltenham, Chris wrote:

Mr. Shultz,

I really appreciate your detailed answers.
Helps me out a lot.

I am now thinking big picture because my application does not require APR..

May I ask this , what exactly does APR give me for apache-tomcat?


APR stands for "Apache Portable Run-time".
Here is one explanation :

It is a software library, containing a series of functions which are often used by Apache 
Foundation programs of all kinds (not only tomcat), particularly in what regards network 
interfaces and protocols.
The people who make this APR, make sure that it is available for many platforms (Windows, 
Liux etc.), and that it is really optimised for each of these different platforms.


To access the network, tomcat can do it in 2 different ways :
1) by using standard Java functions, which always work, but are not particularly optimised 
for any platform

or
2) if APR is available, then tomcat can use instead, some calls which exist in the APR 
library, and which may be more optimised fo the current platform on which it is running


When tomcat starts, it will check if APR is available. If yes, tomcat will use it, because 
it is probably a bit faster than the Java alternative.
If APR is not available, tomcat will use the standard Java functions, which are maybe a 
bit slower.
And just to let you know that, it will print a friendly message to the log, to let you 
know that maybe this is not the most optimal solution, in terms of ultimate tomcat 
performance.  But this is just an informational message, and you can decide to ignore it, 
and run tomcat anyway without APR (which many people do, and most of the time they will 
not notice the difference).


There is a secondary effect which needs to be considered when using SSL (HTTPS) 
:
When tomcat finds and uses APR, it uses APR functions to access SSL sockets. And these APR 
functions rely on the underlying presence of SSL libraries provided by another package, 
named OpenSSL. These OpenSSL libraries require a particular format for the SSL keys and 
key stores.
When tomcat does not find APR, it will use the builtin Java functions for SSL. And these 
builtin functions require another format for the SSL keys and key stores.

So the parameters used in the  elements are a bit different in each 
case.
This is well explained in the tomcat on-line documentation.



I am thinking to scrap the whole APR install.

The reason I am trying to install it is because of my anal need to have
clean logs.


I won't even try to interpret this..


I can’t stand any messages suggesting or recommending that I do this or
that.


They are just friendly messages, like the Amazon "other readers who have purchased this 
book, have also liked this : ... "



I have always tried to accommodate those recommendations.


Ah, ok. I thought you could not stand them ?


However, in this case it may be the best to ignore the catalane log message
saying that I should install APR.



catalane ? that's been quite a bit in the news lately. But we're quite apolitical here, 
and so is tomcat usually.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, November 1, 2017 4:04 PM
To: users@tomcat.apache.org
Subject: Re: security headers

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alejandro,

On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:

Hello,

I recently used on web.xml

 httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
lter-class>


  true 

 httpHeaderSecurity
/* 

to enable some security headers, but it won't enable Content Security
Policy header. Is there anyway to enable Content Security Policy at
top server level???


What were you expecting that Filter to generate for you? A header which
disables everything? Not terribly useful.

My recommendation would be to use something like url-rewrite[1] to add
headers to every outgoing response. url-rewrite has very similar
capabilities to httpd's mod_headers (and much more, of course).

- -chris

[1] http://tuckey.org/urlrewrite/
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8
pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
//iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRq

Re: security headers

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 11/2/17 8:55 AM, Cheltenham, Chris wrote:
> Mr. Shultz,
> 
> I really appreciate your detailed answers. Helps me out a lot.
> 
> I am now thinking big picture because my application does not
> require APR.

Wrong thread?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln7GkwACgkQHPApP6U8
pFgqZBAAmUWC0MHbURbl2RF9pTVkybij6eEPeNNXUVYjZx+3tcJygV7k0uavm57b
SNKGrZTtLoMx9PwYfzxstPb4Bb6bsxjxItAmLX8eePSgT5ZzL3aX2xZVUYqPrkTE
772IYExFuQUd0npH6yYVxamQNXXa0yFye8ajdSZoMfkWa5pMY0pgbnlpoLa//jxM
tAKTqbl1fuC0JAe3X5R+276hXH+RX+OUbumkRYM66I99wLW6VRtiuCFlpx7snG4b
ljcDVnHtqrob84uqYqu+Imce5RXXkeH6aPDezOQsQqhrUYTnlymA8hK43RoDY+RE
EgK9j9+2U5embmULw9S1Yt08UnGxq5WIsiuxdyrFpQVE0L2SBCKhDE8RXNXRCkVQ
dP3E2ImnrrtgFK1sqorozNd1G9DTYb90maojkAWEu/tZ676ejCnBQmnDkLzOdstq
Mg3o2aT0kv0vcLQ4kFBlmCyltEVCfLakHLeuwuiHlNLs3aoqrxOLbzF5ufvc6mUk
2X2QPAuxr2xvqU0loyPOY1JbFSTynAc6vhLpKNXxAXH62P8ex2OJZo1iqp7bNjUL
e+b1z4oUPXb57g+SSL6Ol76iYTP273lXMRD8xejUnrQZjlNtau5KMOGp1SYNqE+Y
uIdJIp897DiL1xSIhEsVaguo9MXtmXHN/aq2sNNCFi8DWpkthtk=
=GQu3
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: security headers

[Cheltenham, Chris]

Mr. Shultz,

I really appreciate your detailed answers.
Helps me out a lot.

I am now thinking big picture because my application does not require APR.

May I ask this , what exactly does APR give me for apache-tomcat?

I am thinking to scrap the whole APR install.

The reason I am trying to install it is because of my anal need to have 
clean logs.
I can’t stand any messages suggesting or recommending that I do this or 
that.
I have always tried to accommodate those recommendations.
However, in this case it may be the best to ignore the catalane log message 
saying that I should install APR.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, November 1, 2017 4:04 PM
To: users@tomcat.apache.org
Subject: Re: security headers

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alejandro,

On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:
> Hello,
>
> I recently used on web.xml
>
>  httpHeaderSecurity
> org.apache.catalina.filters.HttpHeaderSecurityFilter
>
>  true 
>
>  httpHeaderSecurity
> /* 
>
> to enable some security headers, but it won't enable Content Security
> Policy header. Is there anyway to enable Content Security Policy at
> top server level???

What were you expecting that Filter to generate for you? A header which 
disables everything? Not terribly useful.

My recommendation would be to use something like url-rewrite[1] to add 
headers to every outgoing response. url-rewrite has very similar 
capabilities to httpd's mod_headers (and much more, of course).

- -chris

[1] http://tuckey.org/urlrewrite/
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8
pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
//iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+
Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM
ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58
wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8
G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8=
=j1H+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: security headers

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alejandro,

On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:
> Hello,
> 
> I recently used on web.xml
> 
>  httpHeaderSecurity 
> org.apache.catalina.filters.HttpHeaderSecurityFilter
>
>  true 
> 
>  httpHeaderSecurity 
> /* 
> 
> to enable some security headers, but it won't enable Content
> Security Policy header. Is there anyway to enable Content Security
> Policy at top server level???

What were you expecting that Filter to generate for you? A header
which disables everything? Not terribly useful.

My recommendation would be to use something like url-rewrite[1] to add
headers to every outgoing response. url-rewrite has very similar
capabilities to httpd's mod_headers (and much more, of course).

- -chris

[1] http://tuckey.org/urlrewrite/
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8
pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
//iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+
Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM
ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58
wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8
G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8=
=j1H+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Mark H. Wood]

On Thu, Sep 07, 2017 at 04:07:25PM +0530, Mohammad Nayeem wrote:
> We have installed apace and configured mod_jk connector along with a
> load-balancer for 2 tomcat servers.
> 
> We were able to successfully start apache and we got the login page of our
> application hosted on it, but the functionality is lost. For example, when
> we hit login button on home page, nothing happens. Also, we tried access
> some specific web page using a direct url, we ended up with an error.
> 
> Do you have any suggestion for me so that we can achieve the exact same
> functionality that we had without apache in the front?

Yes:

o  When you say, "we ended up with an error," tell us what the error
   message says.  It is very difficult to diagnose an unknown error.

o  When you say, "nothing happens," what should happen, in detail?
   Check Tomcat's log files for the time at which nothing happened.
   Check your applications log files for that time.  If the logs say
   nothing about the operation, then it's time to insert more logging
   in your application code, or attach a debugger and step through the
   code, to see what it is doing.

o  Your browser may have developer tools that can show you requests
   and responses, which may help you to determine what is happening.
   I like a Firefox add-on called Firebug, if you need a suggestion.

o  In general, if we are to help, we need a lot more detail than "it
   doesn't work."  Too much information is better than too little.

o  My recollection is that this list does not forward attachments.  If
   the evidence is too large to simply copy into an email body, you
   could post it on something like Pastebin or Github Gist and refer
   to the URL in your messages.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu


signature.asc
Description: PGP signature

RE: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Mohammad Nayeem]

Hello Olaf,

We have tried yours as well as Chris's suggestions, but in both the cases
the functionality of the application is lost.

We have installed apace and configured mod_jk connector along with a
load-balancer for 2 tomcat servers.

We were able to successfully start apache and we got the login page of our
application hosted on it, but the functionality is lost. For example, when
we hit login button on home page, nothing happens. Also, we tried access
some specific web page using a direct url, we ended up with an error.

Do you have any suggestion for me so that we can achieve the exact same
functionality that we had without apache in the front?


Regards,
Mohammad Nayeem

-Original Message-

From: Olaf Kock [mailto:tom...@olafkock.de]
Sent: 31 May 2017 16:38
To: Tomcat Users List <users@tomcat.apache.org>
Subject: [External] Re: Security Headers Implementation in Tomcat 6.x
version



Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:

> Hello Olaf,

>

> Thanks for your response!

>

> Based on your inputs, we are thinking to put Apache httpd in front of
Tomcat 6 server, since our header configuration is going to be static.

>

> Can you please help us in identifying which version of Apache HTTP Server
we can use for Tomcat 6 version? Also, it will be great if you can share
some guidelines on how to implement Apache in front of Tomcat.



For completeness sake I'd like to answer a few of these questions, rather
briefly. It seems that you're deep into implementing Christopher's solution
of compiling the newer filters for Tomcat 6.



Every current Apache httpd is fine, no version restriction. Especially:

Choose one that will get updates for quite a while, not like the outdated
Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and
mod_proxy_http, which are all keywords on the connection between Apache and
tomcat. Once you've set this up, setting the headers is a matter of adding
the "Header" directive to httpd's configuration. I understand though, that
setting up the connection can be some task if you've never done that.
Especially if you're using https, and also refer to it in your webapp's
code (e.g. to validate client certs) - but as you give no clue you're doing
that, I'm assuming you don't and the setup would be easy.



Anyway, feel free to utilize the newer code - I just wanted this
information to be in this thread as well. However, once you're done with

it: Utilize even more newer code and prepare to migrate away from your
discontinued tomcat version.



Olaf







-

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org

For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Mohammad Nayeem]

Hi Chris,


We currently have 7.0.42 version which does not support security headers,
so we have taken jar files from 7.0.63 and replaced with the those in
7.0.42 library folder. We were able to successfully start our tomcat
instance and we got the login page of our application hosted on it, but the
functionality is lost. For example, when we hit login button on home page,
nothing happens. Also, we tried access some specific web page using a
direct url, we ended up with an error.


Do you have any suggestion for me so that we can achieve the exact same
functionality using libraries of 7.0.63? For your information, I  have
tried using more latest versions like Tomcat 8, but no luck.



Regards,

Mohammad Nayeem

 -Original Message-

From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 01 June 2017 19:59
To: users@tomcat.apache.org
Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x
version



-BEGIN PGP SIGNED MESSAGE-

Hash: SHA256



Mohammad,



On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote:

> What should be name of the new JAR file that I would create for the

> Filter classes?

It doesn't matter.



> There are multiple JAR files in lib folder. Does the name of these JAR

> files have any significance?



Not really.



> My understanding is that as long as you have your code (.class

> files) is present in any of the JAR files under "lib" folder, system

> would get it. You don’t need to have a specific-named JAR files having

> specific-named .class files. The .class files from all the jar files

> under lib folder is considered as one big collection, and based on the

> invoked classname its corresponding .class file gets executed from

> that big code. Multiple JAR files with different names is setup just

> for logical classification of classes. Please correct me if this is

> not right.



You are correct. There are problems if the same class exists in two
separate JAR files, but that should not be a problem in the standard Tomcat
installation, plus the JAR file that has a few (unique) classes from Tomcat
7 in there.



Remember: Upgrade ASAP.



- -chris



> -Original Message- From: Christopher Schultz

> [mailto:ch...@christopherschultz.net <ch...@christopherschultz.net>]
Sent: 31 May 2017 23:52 To:

> users@tomcat.apache.org Subject: [External] Re: Security Headers

> Implementation in Tomcat 6.x version

>

> Mohammad,

>

> On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:

>> Can I simply use the JAR files from Tomcat 7 that contains executable

>> code of filter classes (security headers), and put them into

>> corresponding location in Tomcat 6?

>

> Definitely don't do that. But you could probably grab the compiled

> .class files from Tomcat 7's binary distribution... just make sure you

> have all of them.

>

> So, basically, create a new JAR file that contains only those Filter

> classes (don't forget any inner classes that might be found in

> separate .class files).

>

> -chris

>

> -

>

>

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org

> For additional commands, e-mail: users-h...@tomcat.apache.org

>

>

> 

>

> This message is for the designated recipient only and may contain

> privileged, proprietary, or otherwise confidential information. If you

> have received it in error, please notify the sender immediately and

> delete the original. Any other use of the e-mail by you is prohibited.

> Where allowed by local law, electronic communications with Accenture

> and its affiliates, including e-mail and instant messaging (including

> content), may be scanned by our systems for the purposes of

> information security and assessment of internal compliance with

> Accenture policy.

> __



>

>  www.accenture.com

>

> -

>

>

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org

> For additional commands, e-mail: users-h...@tomcat.apache.org

>

-BEGIN PGP SIGNATURE-

Comment: GPGTools - http://gpgtools.org

Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/



iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u

kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi

3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx

bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn

aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo

/28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou

gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhd

Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

[kmaxwilliams43]

Ghgfhch 
Dygugjfbjg

Envoyé de mon smartphone BlackBerry 10.
  Message d'origine  
De: Christopher Schultz
Envoyé: jeudi 8 juin 2017 18:43
À: users@tomcat.apache.org
Répondre à: Tomcat Users List
Objet: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Shaik,

On 6/8/17 1:18 AM, Shaik, Mohammad N. wrote:
> Hi Olaf & Chris,
> 
> By placing HTTPD 2.x server in front of Tomcat 6, is it possible to
> hide Tomcat 6 from external world? I just don’t want people to find
> out that I am using Tomcat 6, instead I want them to know that I am
> using httpd 2.x server. Is this possible?
> 
> I just need Apache HTTPD server to take care of headers and let
> Tomcat do rest of the stuff (which it is already doing in my case).
> Do I still need to configure anything other than headers in my
> case?

Not really. If you configure httpd -> Tomcat, then you can
firewall-out everyone from your Tomcat server except the server
running httpd.

By default, httpd will return its own "Server" header so you don't
even need to try to mask Tomcat's existence that way.

- -chris

> -Original Message- From: Olaf Kock
> [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat
> Users List <users@tomcat.apache.org> Subject: [External] Re:
> Security Headers Implementation in Tomcat 6.x version
> 
> Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:
>> Hello Olaf,
>> 
>> Thanks for your response!
>> 
>> Based on your inputs, we are thinking to put Apache httpd in
>> front of Tomcat 6 server, since our header configuration is going
>> to be static.
>> 
>> Can you please help us in identifying which version of Apache
>> HTTP Server we can use for Tomcat 6 version? Also, it will be
>> great if you can share some guidelines on how to implement Apache
>> in front of Tomcat.
> 
> For completeness sake I'd like to answer a few of these questions,
> rather briefly. It seems that you're deep into implementing
> Christopher's solution of compiling the newer filters for Tomcat
> 6.
> 
> Every current Apache httpd is fine, no version restriction.
> Especially: Choose one that will get updates for quite a while, not
> like the outdated Tomcat version you're running. Read on mod_proxy,
> mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on
> the connection between Apache and tomcat. Once you've set this up,
> setting the headers is a matter of adding the "Header" directive to
> httpd's configuration. I understand though, that setting up the
> connection can be some task if you've never done that. Especially
> if you're using https, and also refer to it in your webapp's code
> (e.g. to validate client certs) - but as you give no clue you're
> doing that, I'm assuming you don't and the setup would be easy.
> 
> Anyway, feel free to utilize the newer code - I just wanted this
> information to be in this thread as well. However, once you're done
> with it: Utilize even more newer code and prepare to migrate away
> from your discontinued tomcat version.
> 
> Olaf
> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If
> you have received it in error, please notify the sender immediately
> and delete the original. Any other use of the e-mail by you is
> prohibited. Where allowed by local law, electronic communications
> with Accenture and its affiliates, including e-mail and instant
> messaging (including content), may be scanned by our systems for
> the purposes of information security and assessment of internal
> compliance with Accenture policy. 
> __

>
> www.accenture.com
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZOZqoAAoJEBzwKT+lPKRYVBAP/RotI8+S6dbEVYxNNJtwIoLT
LzoBCrxF/VWva8CUqGNrWJNdjy4IUuwiB00zGYZpyXmvIVAjG8H+fq+pocYVTSLz
1q6ZiqLuw3yj2xottS2fBY3lQC3hQawGjP9IX+Y3/qq9lgGNificZ7ok2iBBhlrZ
CiwiQSVuvpboawxYKl62kXB6c2pprzGqRZ1l6I+pcir/mMHJ6W0fYXrdxgEk8M9d
aY7W0YRugVsCbuAHqpQ+1Jr2jv3+Wme1LknTV9+ixmbHnu0UecoI

Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Shaik,

On 6/8/17 1:18 AM, Shaik, Mohammad N. wrote:
> Hi Olaf & Chris,
> 
> By placing HTTPD 2.x server in front of Tomcat 6, is it possible to
> hide Tomcat 6 from external world? I just don’t want people to find
> out that I am using Tomcat 6, instead I want them to know that I am
> using httpd 2.x server. Is this possible?
> 
> I just need Apache HTTPD server to take care of headers and let
> Tomcat do rest of the stuff (which it is already doing in my case).
> Do I still need to configure anything other than headers in my
> case?

Not really. If you configure httpd -> Tomcat, then you can
firewall-out everyone from your Tomcat server except the server
running httpd.

By default, httpd will return its own "Server" header so you don't
even need to try to mask Tomcat's existence that way.

- -chris

> -Original Message- From: Olaf Kock
> [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat
> Users List <users@tomcat.apache.org> Subject: [External] Re:
> Security Headers Implementation in Tomcat 6.x version
> 
> Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:
>> Hello Olaf,
>> 
>> Thanks for your response!
>> 
>> Based on your inputs, we are thinking to put Apache httpd in
>> front of Tomcat 6 server, since our header configuration is going
>> to be static.
>> 
>> Can you please help us in identifying which version of Apache
>> HTTP Server we can use for Tomcat 6 version? Also, it will be
>> great if you can share some guidelines on how to implement Apache
>> in front of Tomcat.
> 
> For completeness sake I'd like to answer a few of these questions,
> rather briefly. It seems that you're deep into implementing
> Christopher's solution of compiling the newer filters for Tomcat
> 6.
> 
> Every current Apache httpd is fine, no version restriction.
> Especially: Choose one that will get updates for quite a while, not
> like the outdated Tomcat version you're running. Read on mod_proxy,
> mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on
> the connection between Apache and tomcat. Once you've set this up,
> setting the headers is a matter of adding the "Header" directive to
> httpd's configuration. I understand though, that setting up the
> connection can be some task if you've never done that. Especially
> if you're using https, and also refer to it in your webapp's code
> (e.g. to validate client certs) - but as you give no clue you're
> doing that, I'm assuming you don't and the setup would be easy.
> 
> Anyway, feel free to utilize the newer code - I just wanted this
> information to be in this thread as well. However, once you're done
> with it: Utilize even more newer code and prepare to migrate away
> from your discontinued tomcat version.
> 
> Olaf
> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If
> you have received it in error, please notify the sender immediately
> and delete the original. Any other use of the e-mail by you is
> prohibited. Where allowed by local law, electronic communications
> with Accenture and its affiliates, including e-mail and instant
> messaging (including content), may be scanned by our systems for
> the purposes of information security and assessment of internal
> compliance with Accenture policy. 
> __

>
>  www.accenture.com
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZOZqoAAoJEBzwKT+lPKRYVBAP/RotI8+S6dbEVYxNNJtwIoLT
LzoBCrxF/VWva8CUqGNrWJNdjy4IUuwiB00zGYZpyXmvIVAjG8H+fq+pocYVTSLz
1q6ZiqLuw3yj2xottS2fBY3lQC3hQawGjP9IX+Y3/qq9lgGNificZ7ok2iBBhlrZ
CiwiQSVuvpboawxYKl62kXB6c2pprzGqRZ1l6I+pcir/mMHJ6W0fYXrdxgEk8M9d
aY7W0YRugVsCbuAHqpQ+1Jr2jv3+Wme1LknTV9+ixmbHnu0UecoIhseWywDanrQD
1if8Rh/TtuT31wWKu7nn48llofjzmWwNRVjaFeNY9u/zjMkimcQ2B+shSuq81M5H
BxcvutplbYhGWED2AS/G/OviNbC+JJiaDXgE+mrH31kNfH9WXS5DH+RZO0q1kxmy
gXrBQ4M+XoZgloQQ4Y9kSRfEBeEccr3axtdo7FwpqJjCesLFSfCkUZgGHhOFuGAx
JGG4zIu2JLAsNVXu76KSX7JNPvnWoqrYzmrV5uweDU3xf3Mls2A2LuxEOTe5ANOg
jDVH6K6UbkplWHv

RE: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hi Olaf & Chris,

By placing HTTPD 2.x server in front of Tomcat 6, is it possible to hide Tomcat 
6 from external world? I just don’t want people to find out that I am using 
Tomcat 6, instead I want them to know that I am using httpd 2.x server. Is this 
possible?

I just need Apache HTTPD server to take care of headers and let Tomcat do rest 
of the stuff (which it is already doing in my case). Do I still need to 
configure anything other than headers in my case?


Regards,
Mohammad

-Original Message-
From: Olaf Kock [mailto:tom...@olafkock.de]
Sent: 31 May 2017 16:38
To: Tomcat Users List <users@tomcat.apache.org>
Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version

Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:
> Hello Olaf,
>
> Thanks for your response!
>
> Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 
> 6 server, since our header configuration is going to be static.
>
> Can you please help us in identifying which version of Apache HTTP Server we 
> can use for Tomcat 6 version? Also, it will be great if you can share some 
> guidelines on how to implement Apache in front of Tomcat.

For completeness sake I'd like to answer a few of these questions, rather 
briefly. It seems that you're deep into implementing Christopher's solution of 
compiling the newer filters for Tomcat 6.

Every current Apache httpd is fine, no version restriction. Especially:
Choose one that will get updates for quite a while, not like the outdated 
Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and 
mod_proxy_http, which are all keywords on the connection between Apache and 
tomcat. Once you've set this up, setting the headers is a matter of adding the 
"Header" directive to httpd's configuration. I understand though, that setting 
up the connection can be some task if you've never done that. Especially if 
you're using https, and also refer to it in your webapp's code (e.g. to 
validate client certs) - but as you give no clue you're doing that, I'm 
assuming you don't and the setup would be easy.

Anyway, feel free to utilize the newer code - I just wanted this information to 
be in this thread as well. However, once you're done with
it: Utilize even more newer code and prepare to migrate away from your 
discontinued tomcat version.

Olaf



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Olaf Kock]

Am 02.06.2017 um 07:43 schrieb Shaik, Mohammad N.:
> Hi Chris, > > My actual requirement was to implement 7 HTTP headers, out of 
> which
4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers
(Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not
addressed in any of the filters available in Tomcat 7, 8 & 9 versions. >
> Is there any way that we implement these 3 headers in Tomcat?
Sure. Look at the implementation for the 4 headers you found. Add three
more, recompile. Alternatively, add another filter just for your 3 headers.

As you're creating a solution for you exclusively, you may even
completely hard code the values and conditions you need. There's no need
for configuration or making it "ready for prime time" as nobody else
will use this code under different circumstances.

Or write your own servlet filter for the webapps you deploy (no need to
go app-server side when the webapps do what's required themselves). In
those servlet filters, set those headers under conditions that you
determine yourself.

Or (again, sorry) utilize httpd's mod_headers.

Olaf



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hi Chris,

My actual requirement was to implement 7 HTTP headers, out of which 4 are 
implemented in "HttpHeaderSecurityFilter". The remaining 3 headers 
(Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not addressed in 
any of the filters available in Tomcat 7, 8 & 9 versions.

Is there any way that we implement these 3 headers in Tomcat?


Regards,
Mohammad

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 01 June 2017 19:59
To: users@tomcat.apache.org
Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x 
version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote:
> What should be name of the new JAR file that I would create for the
> Filter classes?
It doesn't matter.

> There are multiple JAR files in lib folder. Does the name of these JAR
> files have any significance?

Not really.

> My understanding is that as long as you have your code (.class
> files) is present in any of the JAR files under "lib" folder, system
> would get it. You don’t need to have a specific-named JAR files having
> specific-named .class files. The .class files from all the jar files
> under lib folder is considered as one big collection, and based on the
> invoked classname its corresponding .class file gets executed from
> that big code. Multiple JAR files with different names is setup just
> for logical classification of classes. Please correct me if this is
> not right.

You are correct. There are problems if the same class exists in two separate 
JAR files, but that should not be a problem in the standard Tomcat 
installation, plus the JAR file that has a few (unique) classes from Tomcat 7 
in there.

Remember: Upgrade ASAP.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To:
> users@tomcat.apache.org Subject: [External] Re: Security Headers
> Implementation in Tomcat 6.x version
>
> Mohammad,
>
> On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
>> Can I simply use the JAR files from Tomcat 7 that contains executable
>> code of filter classes (security headers), and put them into
>> corresponding location in Tomcat 6?
>
> Definitely don't do that. But you could probably grab the compiled
> .class files from Tomcat 7's binary distribution... just make sure you
> have all of them.
>
> So, basically, create a new JAR file that contains only those Filter
> classes (don't forget any inner classes that might be found in
> separate .class files).
>
> -chris
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> 
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with
> Accenture policy.
> __

>
>  www.accenture.com
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u
kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi
3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx
bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn
aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo
/28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou
gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET
0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y
qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE
/XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju
ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS
HGUlc2U0LgTmSYLe+vj6
=oY0c
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional comm

Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote:
> What should be name of the new JAR file that I would create for
> the Filter classes?
It doesn't matter.

> There are multiple JAR files in lib folder. Does the name of these 
> JAR files have any significance?

Not really.

> My understanding is that as long as you have your code (.class 
> files) is present in any of the JAR files under "lib" folder,
> system would get it. You don’t need to have a specific-named JAR
> files having specific-named .class files. The .class files from all
> the jar files under lib folder is considered as one big collection,
> and based on the invoked classname its corresponding .class file
> gets executed from that big code. Multiple JAR files with different
> names is setup just for logical classification of classes. Please
> correct me if this is not right.

You are correct. There are problems if the same class exists in two
separate JAR files, but that should not be a problem in the standard
Tomcat installation, plus the JAR file that has a few (unique) classes
from Tomcat 7 in there.

Remember: Upgrade ASAP.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To:
> users@tomcat.apache.org Subject: [External] Re: Security Headers
> Implementation in Tomcat 6.x version
> 
> Mohammad,
> 
> On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
>> Can I simply use the JAR files from Tomcat 7 that contains
>> executable code of filter classes (security headers), and put
>> them into corresponding location in Tomcat 6?
> 
> Definitely don't do that. But you could probably grab the compiled
> .class files from Tomcat 7's binary distribution... just make sure
> you have all of them.
> 
> So, basically, create a new JAR file that contains only those
> Filter classes (don't forget any inner classes that might be found
> in separate .class files).
> 
> -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If
> you have received it in error, please notify the sender immediately
> and delete the original. Any other use of the e-mail by you is
> prohibited. Where allowed by local law, electronic communications
> with Accenture and its affiliates, including e-mail and instant
> messaging (including content), may be scanned by our systems for
> the purposes of information security and assessment of internal
> compliance with Accenture policy. 
> __

>
>  www.accenture.com
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u
kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi
3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx
bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn
aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo
/28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou
gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET
0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y
qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE
/XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju
ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS
HGUlc2U0LgTmSYLe+vj6
=oY0c
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hi Chris,

What should be name of the new JAR file that I would create for the Filter 
classes?

There are multiple JAR files in lib folder. Does the name of these JAR files 
have any significance?

My understanding is that as long as you have your code (.class files) is 
present in any of the JAR files under "lib" folder, system would get it. You 
don’t need to have a specific-named JAR files having specific-named .class 
files. The .class files from all the jar files under lib folder is considered 
as one big collection, and based on the invoked classname its corresponding 
.class file gets executed from that big code. Multiple JAR files with different 
names is setup just for logical classification of classes. Please correct me if 
this is not right.

- Mohammad

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 31 May 2017 23:52
To: users@tomcat.apache.org
Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
> Can I simply use the JAR files from Tomcat 7 that contains executable
> code of filter classes (security headers), and put them into
> corresponding location in Tomcat 6?

Definitely don't do that. But you could probably grab the compiled .class files 
from Tomcat 7's binary distribution... just make sure you have all of them.

So, basically, create a new JAR file that contains only those Filter classes 
(don't forget any inner classes that might be found in separate .class files).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C
jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5
T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ
S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up
Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet
D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i
L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml
XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy
OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3
AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB
aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv
mD63/FtqNHglnYULpUTS
=jN8f
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

Re: Security Headers Implementation in Tomcat 6.x version

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
> Can I simply use the JAR files from Tomcat 7 that contains 
> executable code of filter classes (security headers), and put them 
> into corresponding location in Tomcat 6?

Definitely don't do that. But you could probably grab the compiled
.class files from Tomcat 7's binary distribution... just make sure you
have all of them.

So, basically, create a new JAR file that contains only those Filter
classes (don't forget any inner classes that might be found in
separate .class files).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C
jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5
T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ
S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up
Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet
D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i
L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml
XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy
OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3
AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB
aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv
mD63/FtqNHglnYULpUTS
=jN8f
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security Headers Implementation in Tomcat 6.x version

[Olaf Kock]

Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:
> Hello Olaf,
>
> Thanks for your response!
>
> Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 
> 6 server, since our header configuration is going to be static.
>
> Can you please help us in identifying which version of Apache HTTP Server we 
> can use for Tomcat 6 version? Also, it will be great if you can share some 
> guidelines on how to implement Apache in front of Tomcat.

For completeness sake I'd like to answer a few of these questions,
rather briefly. It seems that you're deep into implementing
Christopher's solution of compiling the newer filters for Tomcat 6.

Every current Apache httpd is fine, no version restriction. Especially:
Choose one that will get updates for quite a while, not like the
outdated Tomcat version you're running. Read on mod_proxy,
mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the
connection between Apache and tomcat. Once you've set this up, setting
the headers is a matter of adding the "Header" directive to httpd's
configuration. I understand though, that setting up the connection can
be some task if you've never done that. Especially if you're using
https, and also refer to it in your webapp's code (e.g. to validate
client certs) - but as you give no clue you're doing that, I'm assuming
you don't and the setup would be easy.

Anyway, feel free to utilize the newer code - I just wanted this
information to be in this thread as well. However, once you're done with
it: Utilize even more newer code and prepare to migrate away from your
discontinued tomcat version.

Olaf



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security Headers Implementation in Tomcat 6.x version

[Violeta Georgieva]

Hi,

2017-05-31 13:37 GMT+03:00 Shaik, Mohammad N. <
mohammad.n.sh...@accenture.com>:
>
> Hi Chris,
>
> Can I simply use the JAR files from Tomcat 7 that contains executable
code of filter classes (security headers), and put them into corresponding
location in Tomcat 6?

I would not recommend that. You might easily hit variety of class loading
problems.
Just grab the java files and compile them against Tomcat/lib.

Regards,
Violeta

>
> Regards,
> Mohammad
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: 30 May 2017 21:06
> To: users@tomcat.apache.org
> Subject: Re: Security Headers Implementation in Tomcat 6.x version
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mohammad,
>
> On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> > Thanks for the valuable input, that helps!! We shall go with getting
> > the source package of Tomcat 7, put them in Tomcat 6 and use the
> > filters of Tomcat 7 in Tomcat 6.
> >
> > Can you please let me know from where I can get/download the source
> > package of Tomcat 7? Also can you please share the location of the
> > source package in Tomcat 6 so that we can replace it with the one from
> > Tomcat 7?
>
> The source download for Tomcat 7 is in the same place all the other
downloads are.
>
> You will not need the source for Tomcat 6, nor will you need to build the
complete source-to-binary for Tomcat 7. Just grab the source, take the
classes you need, and compile them against the servlet JAR you already have
for Tomcat 6. Feel free to re-name the packages if they are awkward for you
to compile/install and then just reference the new class names in your
application/server.
>
> Remember to watch for patches to those source files in Tomcat 7 in case
they include e.g. security updates -- you'll want to apply those same
updates to the code you have taken from Tomcat 7.
>
> A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is
backward-compatible with all spec-compliant applications, though it does
behave differently sometimes as the Servlet Experts Group has clarified
certain questions or added new capabilities (like annotation-processing). I
recommend a long period of testing with a new version of Tomcat, but I also
recommend that you begin that testing as soon as possible. Tomcat 6 will
probably receive *no further updates, security or otherwise*, even if a
vulnerability is foun d.
>
> - -chris
>
> > -Original Message- From: Christopher Schultz
> > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> > users@tomcat.apache.org Subject: Re: Security Headers Implementation
> > in Tomcat 6.x version
> >
> > Mohammad,
> >
> > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> >> Based on your inputs, we are thinking to put Apache httpd in front of
> >> Tomcat 6 server, since our header configuration is going to be
> >> static.
> >
> > This might not be a bad idea for a number of reasons, but it is by no
> > means required.
> >
> > You can download the Tomcat 7 source package and use the security
> > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
> > actually requires Tomcat 7 to run.
> >
> >> Can you please help us in identifying which version of Apache HTTP
> >> Server we can use for Tomcat 6 version? Also, it will be great if you
> >> can share some guidelines on how to implement Apache in front of
> >> Tomcat.
> > All supported versions of Apache web server work with app supported
> > versions of Tomcat (as well as Tomcat 6). You have several choices for
> > how to connect them together, but the most straightforward is to use
> > mod_proxy_http from httpd to Tomcat.
> > Tomcat behaves exactly as it did before and requires no additional
> > configuration unless you are moving TLS termination from Tomcat to
> > httpd. If that's the case, there are many guides on the web as well as
> > on Tomcat's Presentations Page[2] that document how to do that.
> >
> > Hope that helps, -chris
> >
> > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> > http://tomcat.apache.org/presentations.html
> >
> > -
> >
> >
> >
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> > 
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential informa

Re: Security Headers Implementation in Tomcat 6.x version

[Violeta Georgieva]

Hi,

2017-05-31 13:34 GMT+03:00 Shaik, Mohammad N. <
mohammad.n.sh...@accenture.com>:
>
> Hi Chris,
>
> I got the source files (.java) of the filter classes that I was looking
for.
>
> Should we compile the source file against the servlet jar file(s) present
in "[Tomcat]\lib\"

Yes.
Compile them against the jar files located in Tomcat/lib.
The servlet API classes will be loaded from Tomcat/lib a.k.a. common
loader. More you can find here:

http://tomcat.apache.org/tomcat-6.0-doc/class-loader-howto.html#Class_Loader_Definitions
- Common — This class loader contains additional classes that are made
visible to both Tomcat internal classes and to all web applications.
- WebappX — A class loader is created for each web application that is
deployed in a single Tomcat instance.


> or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there are
multiple JAR files in both these locations. How to locate the exact JAR
file which should be used to compile source files?
>
> My understanding is that as long as you have your code (.class files) in
any of the JAR files under "lib" folder, system would get it. You don’t
need to have specific code in specific JAR file. Code from all the jar
files under lib folder is considered as one big code, and based on the
class invoked its corresponding code gets executed from that one big code.
Please correct me if this is not right.
>
> Also, should we include the filters in web.xml file under
"[Tomcat]\conf\" folder or under "WEB-INF" folder of my application?

The web.xml located in Tomcat/conf is the "global" one. The configurations
there will be applied to every web application deployed on the Tomcat
instance. So if you need to apply this filter to all web apps then place
the definition and configurations there. Otherwise you can provide the
filter definition and configurations in the WEB-INF/web.xml for a
particular web app.

Regards,
Violeta

>
>
> Regards,
> Mohammad
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: 30 May 2017 21:06
> To: users@tomcat.apache.org
> Subject: Re: Security Headers Implementation in Tomcat 6.x version
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mohammad,
>
> On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> > Thanks for the valuable input, that helps!! We shall go with getting
> > the source package of Tomcat 7, put them in Tomcat 6 and use the
> > filters of Tomcat 7 in Tomcat 6.
> >
> > Can you please let me know from where I can get/download the source
> > package of Tomcat 7? Also can you please share the location of the
> > source package in Tomcat 6 so that we can replace it with the one from
> > Tomcat 7?
>
> The source download for Tomcat 7 is in the same place all the other
downloads are.
>
> You will not need the source for Tomcat 6, nor will you need to build the
complete source-to-binary for Tomcat 7. Just grab the source, take the
classes you need, and compile them against the servlet JAR you already have
for Tomcat 6. Feel free to re-name the packages if they are awkward for you
to compile/install and then just reference the new class names in your
application/server.
>
> Remember to watch for patches to those source files in Tomcat 7 in case
they include e.g. security updates -- you'll want to apply those same
updates to the code you have taken from Tomcat 7.
>
> A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is
backward-compatible with all spec-compliant applications, though it does
behave differently sometimes as the Servlet Experts Group has clarified
certain questions or added new capabilities (like annotation-processing). I
recommend a long period of testing with a new version of Tomcat, but I also
recommend that you begin that testing as soon as possible. Tomcat 6 will
probably receive *no further updates, security or otherwise*, even if a
vulnerability is foun d.
>
> - -chris
>
> > -Original Message- From: Christopher Schultz
> > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> > users@tomcat.apache.org Subject: Re: Security Headers Implementation
> > in Tomcat 6.x version
> >
> > Mohammad,
> >
> > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> >> Based on your inputs, we are thinking to put Apache httpd in front of
> >> Tomcat 6 server, since our header configuration is going to be
> >> static.
> >
> > This might not be a bad idea for a number of reasons, but it is by no
> > means required.
> >
> > You can download the Tomcat 7 source package and use the security
> > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
> > actually requires Tomcat

RE: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hi Chris,

Can I simply use the JAR files from Tomcat 7 that contains executable code of 
filter classes (security headers), and put them into corresponding location in 
Tomcat 6?

Regards,
Mohammad

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 30 May 2017 21:06
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> Thanks for the valuable input, that helps!! We shall go with getting
> the source package of Tomcat 7, put them in Tomcat 6 and use the
> filters of Tomcat 7 in Tomcat 6.
>
> Can you please let me know from where I can get/download the source
> package of Tomcat 7? Also can you please share the location of the
> source package in Tomcat 6 so that we can replace it with the one from
> Tomcat 7?

The source download for Tomcat 7 is in the same place all the other downloads 
are.

You will not need the source for Tomcat 6, nor will you need to build the 
complete source-to-binary for Tomcat 7. Just grab the source, take the classes 
you need, and compile them against the servlet JAR you already have for Tomcat 
6. Feel free to re-name the packages if they are awkward for you to 
compile/install and then just reference the new class names in your 
application/server.

Remember to watch for patches to those source files in Tomcat 7 in case they 
include e.g. security updates -- you'll want to apply those same updates to the 
code you have taken from Tomcat 7.

A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is 
backward-compatible with all spec-compliant applications, though it does behave 
differently sometimes as the Servlet Experts Group has clarified certain 
questions or added new capabilities (like annotation-processing). I recommend a 
long period of testing with a new version of Tomcat, but I also recommend that 
you begin that testing as soon as possible. Tomcat 6 will probably receive *no 
further updates, security or otherwise*, even if a vulnerability is foun d.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> users@tomcat.apache.org Subject: Re: Security Headers Implementation
> in Tomcat 6.x version
>
> Mohammad,
>
> On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
>> Based on your inputs, we are thinking to put Apache httpd in front of
>> Tomcat 6 server, since our header configuration is going to be
>> static.
>
> This might not be a bad idea for a number of reasons, but it is by no
> means required.
>
> You can download the Tomcat 7 source package and use the security
> filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
> actually requires Tomcat 7 to run.
>
>> Can you please help us in identifying which version of Apache HTTP
>> Server we can use for Tomcat 6 version? Also, it will be great if you
>> can share some guidelines on how to implement Apache in front of
>> Tomcat.
> All supported versions of Apache web server work with app supported
> versions of Tomcat (as well as Tomcat 6). You have several choices for
> how to connect them together, but the most straightforward is to use
> mod_proxy_http from httpd to Tomcat.
> Tomcat behaves exactly as it did before and requires no additional
> configuration unless you are moving TLS termination from Tomcat to
> httpd. If that's the case, there are many guides on the web as well as
> on Tomcat's Presentations Page[2] that document how to do that.
>
> Hope that helps, -chris
>
> [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> http://tomcat.apache.org/presentations.html
>
> -
>
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> 
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with
> Accenture policy.
> __

>
>
>
www.accenture.com
>
> -
>
>
&

RE: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hi Chris,

I got the source files (.java) of the filter classes that I was looking for.

Should we compile the source file against the servlet jar file(s) present in 
"[Tomcat]\lib\" or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there 
are multiple JAR files in both these locations. How to locate the exact JAR 
file which should be used to compile source files?

My understanding is that as long as you have your code (.class files) in any of 
the JAR files under "lib" folder, system would get it. You don’t need to have 
specific code in specific JAR file. Code from all the jar files under lib 
folder is considered as one big code, and based on the class invoked its 
corresponding code gets executed from that one big code. Please correct me if 
this is not right.

Also, should we include the filters in web.xml file under "[Tomcat]\conf\" 
folder or under "WEB-INF" folder of my application?


Regards,
Mohammad

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 30 May 2017 21:06
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> Thanks for the valuable input, that helps!! We shall go with getting
> the source package of Tomcat 7, put them in Tomcat 6 and use the
> filters of Tomcat 7 in Tomcat 6.
>
> Can you please let me know from where I can get/download the source
> package of Tomcat 7? Also can you please share the location of the
> source package in Tomcat 6 so that we can replace it with the one from
> Tomcat 7?

The source download for Tomcat 7 is in the same place all the other downloads 
are.

You will not need the source for Tomcat 6, nor will you need to build the 
complete source-to-binary for Tomcat 7. Just grab the source, take the classes 
you need, and compile them against the servlet JAR you already have for Tomcat 
6. Feel free to re-name the packages if they are awkward for you to 
compile/install and then just reference the new class names in your 
application/server.

Remember to watch for patches to those source files in Tomcat 7 in case they 
include e.g. security updates -- you'll want to apply those same updates to the 
code you have taken from Tomcat 7.

A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is 
backward-compatible with all spec-compliant applications, though it does behave 
differently sometimes as the Servlet Experts Group has clarified certain 
questions or added new capabilities (like annotation-processing). I recommend a 
long period of testing with a new version of Tomcat, but I also recommend that 
you begin that testing as soon as possible. Tomcat 6 will probably receive *no 
further updates, security or otherwise*, even if a vulnerability is foun d.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> users@tomcat.apache.org Subject: Re: Security Headers Implementation
> in Tomcat 6.x version
>
> Mohammad,
>
> On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
>> Based on your inputs, we are thinking to put Apache httpd in front of
>> Tomcat 6 server, since our header configuration is going to be
>> static.
>
> This might not be a bad idea for a number of reasons, but it is by no
> means required.
>
> You can download the Tomcat 7 source package and use the security
> filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
> actually requires Tomcat 7 to run.
>
>> Can you please help us in identifying which version of Apache HTTP
>> Server we can use for Tomcat 6 version? Also, it will be great if you
>> can share some guidelines on how to implement Apache in front of
>> Tomcat.
> All supported versions of Apache web server work with app supported
> versions of Tomcat (as well as Tomcat 6). You have several choices for
> how to connect them together, but the most straightforward is to use
> mod_proxy_http from httpd to Tomcat.
> Tomcat behaves exactly as it did before and requires no additional
> configuration unless you are moving TLS termination from Tomcat to
> httpd. If that's the case, there are many guides on the web as well as
> on Tomcat's Presentations Page[2] that document how to do that.
>
> Hope that helps, -chris
>
> [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> http://tomcat.apache.org/presentations.html
>
> -
>
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> 
>
> This message is for the design

Re: Security Headers Implementation in Tomcat 6.x version

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> Thanks for the valuable input, that helps!! We shall go with
> getting the source package of Tomcat 7, put them in Tomcat 6 and
> use the filters of Tomcat 7 in Tomcat 6.
> 
> Can you please let me know from where I can get/download the
> source package of Tomcat 7? Also can you please share the location
> of the source package in Tomcat 6 so that we can replace it with
> the one from Tomcat 7?

The source download for Tomcat 7 is in the same place all the other
downloads are.

You will not need the source for Tomcat 6, nor will you need to build
the complete source-to-binary for Tomcat 7. Just grab the source, take
the classes you need, and compile them against the servlet JAR you
already have for Tomcat 6. Feel free to re-name the packages if they
are awkward for you to compile/install and then just reference the new
class names in your application/server.

Remember to watch for patches to those source files in Tomcat 7 in
case they include e.g. security updates -- you'll want to apply those
same updates to the code you have taken from Tomcat 7.

A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is
backward-compatible with all spec-compliant applications, though it
does behave differently sometimes as the Servlet Experts Group has
clarified certain questions or added new capabilities (like
annotation-processing). I recommend a long period of testing with a
new version of Tomcat, but I also recommend that you begin that
testing as soon as possible. Tomcat 6 will probably receive *no
further updates, security or otherwise*, even if a vulnerability is foun
d.

- -chris

> -Original Message- From: Christopher Schultz 
> [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: 
> users@tomcat.apache.org Subject: Re: Security Headers
> Implementation in Tomcat 6.x version
> 
> Mohammad,
> 
> On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
>> Based on your inputs, we are thinking to put Apache httpd in
>> front of Tomcat 6 server, since our header configuration is going
>> to be static.
> 
> This might not be a bad idea for a number of reasons, but it is by
> no means required.
> 
> You can download the Tomcat 7 source package and use the security 
> filters from Tomcat 7[1] in Tomcat 6: there is nothing in there
> that actually requires Tomcat 7 to run.
> 
>> Can you please help us in identifying which version of Apache
>> HTTP Server we can use for Tomcat 6 version? Also, it will be
>> great if you can share some guidelines on how to implement Apache
>> in front of Tomcat.
> All supported versions of Apache web server work with app
> supported versions of Tomcat (as well as Tomcat 6). You have
> several choices for how to connect them together, but the most
> straightforward is to use mod_proxy_http from httpd to Tomcat.
> Tomcat behaves exactly as it did before and requires no additional
> configuration unless you are moving TLS termination from Tomcat to
> httpd. If that's the case, there are many guides on the web as well
> as on Tomcat's Presentations Page[2] that document how to do that.
> 
> Hope that helps, -chris
> 
> [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] 
> http://tomcat.apache.org/presentations.html
> 
> -
>
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
> This message is for the designated recipient only and may contain 
> privileged, proprietary, or otherwise confidential information. If 
> you have received it in error, please notify the sender
> immediately and delete the original. Any other use of the e-mail by
> you is prohibited. Where allowed by local law, electronic
> communications with Accenture and its affiliates, including e-mail
> and instant messaging (including content), may be scanned by our
> systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. 
> __

>
>
> 
www.accenture.com
> 
> -
>
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLZFGAAoJEBzwKT+lPKRYFlEQAMWx2/ngj4vEeoQfZU4rRFlH
1Mscn61MUFJdrVBFkVF+NR86m8clUt8Kw1MKZNGexMXcKjrIllqnVPJUQxjyvgai

RE: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hello Chris,

Thanks for the valuable input, that helps!! We shall go with getting the source 
package of Tomcat 7, put them in Tomcat 6 and use the filters of Tomcat 7 in 
Tomcat 6.

Can you please let me know from where I can get/download the source package of 
Tomcat 7? Also can you please share the location of the source package in 
Tomcat 6 so that we can replace it with the one from Tomcat 7?


Regards,
Mohammad

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 29 May 2017 20:57
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> Based on your inputs, we are thinking to put Apache httpd in front of
> Tomcat 6 server, since our header configuration is going to be static.

This might not be a bad idea for a number of reasons, but it is by no means 
required.

You can download the Tomcat 7 source package and use the security filters from 
Tomcat 7[1] in Tomcat 6: there is nothing in there that actually requires 
Tomcat 7 to run.

> Can you please help us in identifying which version of Apache HTTP
> Server we can use for Tomcat 6 version? Also, it will be great if you
> can share some guidelines on how to implement Apache in front of
> Tomcat.
All supported versions of Apache web server work with app supported versions of 
Tomcat (as well as Tomcat 6). You have several choices for how to connect them 
together, but the most straightforward is to use mod_proxy_http from httpd to 
Tomcat. Tomcat behaves exactly as it did before and requires no additional 
configuration unless you are moving TLS termination from Tomcat to httpd. If 
that's the case, there are many guides on the web as well as on Tomcat's 
Presentations Page[2] that document how to do that.

Hope that helps,
- -chris

[1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
[2] http://tomcat.apache.org/presentations.html
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLD3hAAoJEBzwKT+lPKRYPh0P/RiGWVDs8c/PsFdC8VmU8fBB
V+EqkBd3SMeMK9l/2NtHW+MK/5BkkB5/2ebZiivCBYVTkUi4jaqnBvy981EJFcFb
vxovSsFhkhAPnr2DtZcg98wkTJ5dwT7ze50Cx/VBeXVlZD8n/nh+Msv5a1Fab0qI
dTzTGUwAguFwVZHkZX16LefqHvbvC6R5lJDCkqdtWx51KbDB4fY2TdVhzGK1vCEk
Vgrg4uEhjrkS/d6YgU4VWY8gHF2202DbmGPyZjIlh8l3R9bFWUE5NEg0AokOAAxR
AySanDW0J1QNKjm11KQuwynDVTqLGu9u9JBxKYsqsZsjjzSIpHFzVislI/lIbKBi
RKb1m+Hsfm0LkmDX+9N47EKXG5B6HOenUjWnjy2BCBnkINPXSbGOPXrG4028hSmo
NlPWGZTFSJnlcE4mLTxHZBQjPwgg2pmn/Ck4LsP9PFJITC3/2jtCpnwCv29pcxx8
ILG8On65M9uA2AdnhGucNvSpV5nsfPujhBQtB44A9Xd9V3ssdqn+hSgorZ4aMY7U
XPGyiUV985D+9XKkaHY0gBWjLdEBRZisWV1k66QjAWXC3ekdxGQzyV47RehwRueQ
6Zcc5MuH1F/3okJpXlxSwnpwfLyfZZPjZrhVoyKMxAWj2ozkIqPcfcSw8cYxN5hr
Fx+sOmqCwHww762nVlnZ
=03C1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security Headers Implementation in Tomcat 6.x version

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> Based on your inputs, we are thinking to put Apache httpd in front 
> of Tomcat 6 server, since our header configuration is going to be
> static.

This might not be a bad idea for a number of reasons, but it is by no
means required.

You can download the Tomcat 7 source package and use the security
filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
actually requires Tomcat 7 to run.

> Can you please help us in identifying which version of Apache HTTP 
> Server we can use for Tomcat 6 version? Also, it will be great if
> you can share some guidelines on how to implement Apache in front
> of Tomcat.
All supported versions of Apache web server work with app supported
versions of Tomcat (as well as Tomcat 6). You have several choices for
how to connect them together, but the most straightforward is to use
mod_proxy_http from httpd to Tomcat. Tomcat behaves exactly as it did
before and requires no additional configuration unless you are moving
TLS termination from Tomcat to httpd. If that's the case, there are
many guides on the web as well as on Tomcat's Presentations Page[2]
that document how to do that.

Hope that helps,
- -chris

[1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
[2] http://tomcat.apache.org/presentations.html
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLD3hAAoJEBzwKT+lPKRYPh0P/RiGWVDs8c/PsFdC8VmU8fBB
V+EqkBd3SMeMK9l/2NtHW+MK/5BkkB5/2ebZiivCBYVTkUi4jaqnBvy981EJFcFb
vxovSsFhkhAPnr2DtZcg98wkTJ5dwT7ze50Cx/VBeXVlZD8n/nh+Msv5a1Fab0qI
dTzTGUwAguFwVZHkZX16LefqHvbvC6R5lJDCkqdtWx51KbDB4fY2TdVhzGK1vCEk
Vgrg4uEhjrkS/d6YgU4VWY8gHF2202DbmGPyZjIlh8l3R9bFWUE5NEg0AokOAAxR
AySanDW0J1QNKjm11KQuwynDVTqLGu9u9JBxKYsqsZsjjzSIpHFzVislI/lIbKBi
RKb1m+Hsfm0LkmDX+9N47EKXG5B6HOenUjWnjy2BCBnkINPXSbGOPXrG4028hSmo
NlPWGZTFSJnlcE4mLTxHZBQjPwgg2pmn/Ck4LsP9PFJITC3/2jtCpnwCv29pcxx8
ILG8On65M9uA2AdnhGucNvSpV5nsfPujhBQtB44A9Xd9V3ssdqn+hSgorZ4aMY7U
XPGyiUV985D+9XKkaHY0gBWjLdEBRZisWV1k66QjAWXC3ekdxGQzyV47RehwRueQ
6Zcc5MuH1F/3okJpXlxSwnpwfLyfZZPjZrhVoyKMxAWj2ozkIqPcfcSw8cYxN5hr
Fx+sOmqCwHww762nVlnZ
=03C1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hello Olaf,

Thanks for your response!

Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 
server, since our header configuration is going to be static.

Can you please help us in identifying which version of Apache HTTP Server we 
can use for Tomcat 6 version? Also, it will be great if you can share some 
guidelines on how to implement Apache in front of Tomcat.


Regards,
Mohammad Nayeem

-Original Message-
From: Olaf Kock [mailto:tom...@olafkock.de]
Sent: 29 May 2017 13:53
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version


Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.:
> We are using Tomcat 6.x version and we need to implement the following 
> headers in our environment.
>
> Headers:
> 1) Strict-Transport-Security
> 2) Content-Security-Policy
> 
> 7) X-Robots-Tag
>
> When I checked the Tomcat 6 version webpage 
> (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D6.0-2Ddoc_config_filter.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=MmEr4IILdgkhxtcFHmAb7ZO1pGl9B2Gek5dFuSCIBKw=
>  ), I don't see any filters that implement any these headers. Some of them 
> are available in Tomcat 7 version webpage 
> (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D7.0-2Ddoc_config_filter.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=aSZ5lgpIY-aPi2TSYp6DDNykQA9QFD8ImYaIKp70gUA=
>  ), but we cannot upgrade to Tomcat 7.x version due to some constraints.
>
> Can you kindly guide me how to implement these headers in Tomcat 6.x version. 
> All your comments on this topic are welcome.
As tomcat 6 is solid out of service for almost half a year already (see 
https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_tomcat-2D60-2Deol.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=4Z8PWPmO-QMztdwYP9hAotZazIQFlsSUO5SfDxrVjG4=
 ), you're between a rock and a hard place: Invest in a platform that's a 
potential security threat (it won't get any more updates) or invest in an 
upgrade.

That out of the way, for most cases, just have an Apache httpd in front of 
tomcat and use its magic to tag most of your headers. For many it will be 
static configuration. If there's anything dynamic that you need, implement a 
servlet filter that just does the job. Hardcode it - you don't need a lot of 
configuration if you come up with a solution that's just used within your 
premises.

If you have multiple web applications that all need the same filter, deploy the 
filter on all of them.

Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security Headers Implementation in Tomcat 6.x version

[Olaf Kock]

Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.:
> We are using Tomcat 6.x version and we need to implement the following 
> headers in our environment.
>
> Headers:
> 1) Strict-Transport-Security
> 2) Content-Security-Policy
> 
> 7) X-Robots-Tag
>
> When I checked the Tomcat 6 version webpage 
> (https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html), I don't see 
> any filters that implement any these headers. Some of them are available in 
> Tomcat 7 version webpage 
> (https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html), but we cannot 
> upgrade to Tomcat 7.x version due to some constraints.
>
> Can you kindly guide me how to implement these headers in Tomcat 6.x version. 
> All your comments on this topic are welcome.
As tomcat 6 is solid out of service for almost half a year already (see
http://tomcat.apache.org/tomcat-60-eol.html), you're between a rock and
a hard place: Invest in a platform that's a potential security threat
(it won't get any more updates) or invest in an upgrade.

That out of the way, for most cases, just have an Apache httpd in front
of tomcat and use its magic to tag most of your headers. For many it
will be static configuration. If there's anything dynamic that you need,
implement a servlet filter that just does the job. Hardcode it - you
don't need a lot of configuration if you come up with a solution that's
just used within your premises.

If you have multiple web applications that all need the same filter,
deploy the filter on all of them.

Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org