You seem to be responding on the wrong thread, but here are some answers anyway
(will save Christopher some typing)
On 02.11.2017 13:55, Cheltenham, Chris wrote:
Mr. Shultz,
I really appreciate your detailed answers.
Helps me out a lot.
I am now thinking big picture because my application does not require APR..
May I ask this , what exactly does APR give me for apache-tomcat?
APR stands for "Apache Portable Run-time".
Here is one explanation :
It is a software library, containing a series of functions which are often used by Apache
Foundation programs of all kinds (not only tomcat), particularly in what regards network
interfaces and protocols.
The people who make this APR, make sure that it is available for many platforms (Windows,
Liux etc.), and that it is really optimised for each of these different platforms.
To access the network, tomcat can do it in 2 different ways :
1) by using standard Java functions, which always work, but are not particularly optimised
for any platform
or
2) if APR is available, then tomcat can use instead, some calls which exist in the APR
library, and which may be more optimised fo the current platform on which it is running
When tomcat starts, it will check if APR is available. If yes, tomcat will use it, because
it is probably a bit faster than the Java alternative.
If APR is not available, tomcat will use the standard Java functions, which are maybe a
bit slower.
And just to let you know that, it will print a friendly message to the log, to let you
know that maybe this is not the most optimal solution, in terms of ultimate tomcat
performance. But this is just an informational message, and you can decide to ignore it,
and run tomcat anyway without APR (which many people do, and most of the time they will
not notice the difference).
There is a secondary effect which needs to be considered when using SSL (HTTPS)
:
When tomcat finds and uses APR, it uses APR functions to access SSL sockets. And these APR
functions rely on the underlying presence of SSL libraries provided by another package,
named OpenSSL. These OpenSSL libraries require a particular format for the SSL keys and
key stores.
When tomcat does not find APR, it will use the builtin Java functions for SSL. And these
builtin functions require another format for the SSL keys and key stores.
So the parameters used in the <Connector> elements are a bit different in each
case.
This is well explained in the tomcat on-line documentation.
I am thinking to scrap the whole APR install.
The reason I am trying to install it is because of my anal need to have
clean logs.
I won't even try to interpret this..
I can’t stand any messages suggesting or recommending that I do this or
that.
They are just friendly messages, like the Amazon "other readers who have purchased this
book, have also liked this : ... "
I have always tried to accommodate those recommendations.
Ah, ok. I thought you could not stand them ?
However, in this case it may be the best to ignore the catalane log message
saying that I should install APR.
catalane ? that's been quite a bit in the news lately. But we're quite apolitical here,
and so is tomcat usually.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, November 1, 2017 4:04 PM
To: users@tomcat.apache.org
Subject: Re: security headers
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alejandro,
On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:
Hello,
I recently used on web.xml
<filter> <filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
lter-class>
<async-supported>true</async-supported> </filter>
<filter-mapping> <filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern> </filter-mapping>
to enable some security headers, but it won't enable Content Security
Policy header. Is there anyway to enable Content Security Policy at
top server level???
What were you expecting that Filter to generate for you? A header which
disables everything? Not terribly useful.
My recommendation would be to use something like url-rewrite[1] to add
headers to every outgoing response. url-rewrite has very similar
capabilities to httpd's mod_headers (and much more, of course).
- -chris
[1] http://tuckey.org/urlrewrite/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8
pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
//iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+
Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM
ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58
wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8
G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8=
=j1H+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
