Jasvant, On 1/28/22 08:28, Jasvant Singh wrote:
Hi,I am trying to set up HttpHeaderSecurityFilter for enhancing the security of my website. Filter is defined in $TOMCAT_HOME/conf/web.xml as follows: <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value></param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> my apps directory has a web.xml file which contains following setting: <security-constraint> <web-resource-collection> <web-resource-name>TilesComponents</web-resource-name> <description>Tiles components</description> <url-pattern>/tiles/*</url-pattern> <url-pattern>/tiles/common/*</url-pattern> <url-pattern>/layouts/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>inaccessible</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> The HttpHeaderSecurityFilter works for all URLs except the pattern provided in <security-constraints> setting. Following is the output of curl command. You can see that HttpHeaderSucityFilter's headers are missing. These headers are applied on all other URLs but do not work for this URL. $curl -v https://myhost.mydomain.com/myapp/layouts/ * About to connect() to myhost.mydomain.com port 443 (#0) * Trying 127.0.0.1... * Connected to myhost.mydomain.com (127.0.0.1) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=*.mydomain.com * start date: Dec 01 14:08:27 2021 GMT * expire date: Jan 01 14:08:27 2023 GMT * common name: *.mydomain.com * issuer: CN=SSL.com RSA SSL subCA,O=SSL Corporation,L=Houston,ST=Texas,C=USGET /myapp/layouts/ HTTP/1.1 User-Agent: curl/7.29.0 Host: myhost.mydomain.com Accept: */*< HTTP/1.1 403 403 < Date: Fri, 28 Jan 2022 13:18:03 GMT < Server: Apache < Cache-Control: private < Content-Language: en < Content-Length: 431 < Connection: close < Content-Type: text/html;charset=utf-8 < * Closing connection 0 <!doctype html><html lang="en"><head><title>HTTP Status 403 – Forbidden</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 403 – Forbidden</h1></body></html> Any help is really appreciated.
The response you are getting is a 403, which is likely generated before any of your filters are run. The Authenticator is run as a Valve, all of which run before any Filters run.
-chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
