You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Olivier Jaquemet <ol...@jalios.com> on 2019/12/16 11:08:53 UTC
Hide a request header to application
Hello all,
I would like to systematically hide a request header to web applications
hosted by Tomcat.
- If Apache HTTPD is used in front of Tomcat, you can use the
RequestHeader directive [0]:
RequestHeader unset Some-Header-Name
- If NGINX is used in front of Tomcat, you can use the proxy_set_header
directive [1]:
proxy_set_header Some-Header-Name "";
- Is there any way to apply a similar configuration (no development [2])
to Apache Tomcat when there is no front server ?
I could not find any built-in valve/filter that would allow such
filtering. I don't think there is any, but I wanted to make sure I had
not missed something.
Olivier
[0] https://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader
[1]
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
[2] I know it is possible to develop a quite simple custom ServletFilter
to wrap the request with a custom HttpServletRequest wrapper, but I'm
looking for a zero development possibility. For those of your reading
this discussion later and looking for a development solution, you can
find inspiration in the following github repo that you can adapt to
handle removal https://github.com/lonelyplanet/tomcat-request-header-filter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Hide a request header to application
Posted by Olivier Jaquemet <ol...@jalios.com>.
On 16/12/2019 16:06, Christopher Schultz wrote:
>> Hello all,
>>
>> I would like to systematically hide a request header to web
>> applications hosted by Tomcat.
>>
>> [...]
> I took a look at Tomcat's rewrite valve[1] and also at the venerable
> url-rewrite[2] and I didn't see any options for munging headers. I
> could have sworn someone wrote a mod_headers port for Tomcat and/or
> any container, but I guess not.
>
> I think this one would indeed require some (light) development work to
> make it work in the container and not in, say, a proxy.
>
> - -chris
>
> [1] https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html
> [2] https://tuckey.org/urlrewrite/
Thank you Christopher for your researchs and pointers.
I also thought there would have been some port :/
Anyway I appreciate the time you took to look into this, thanks again.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Hide a request header to application
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Olivier,
On 12/16/19 06:08, Olivier Jaquemet wrote:
> Hello all,
>
> I would like to systematically hide a request header to web
> applications hosted by Tomcat.
>
> - If Apache HTTPD is used in front of Tomcat, you can use the
> RequestHeader directive [0]: RequestHeader unset Some-Header-Name
>
> - If NGINX is used in front of Tomcat, you can use the
> proxy_set_header directive [1]: proxy_set_header Some-Header-Name
> "";
>
> - Is there any way to apply a similar configuration (no development
> [2]) to Apache Tomcat when there is no front server ? I could not
> find any built-in valve/filter that would allow such filtering. I
> don't think there is any, but I wanted to make sure I had not
> missed something.
I took a look at Tomcat's rewrite valve[1] and also at the venerable
url-rewrite[2] and I didn't see any options for munging headers. I
could have sworn someone wrote a mod_headers port for Tomcat and/or
any container, but I guess not.
I think this one would indeed require some (light) development work to
make it work in the container and not in, say, a proxy.
- -chris
[1] https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html
[2] https://tuckey.org/urlrewrite/
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl33nZAACgkQHPApP6U8
pFhAJRAAoAO3Eth8HnaRwYFQnHSwpPvk6dyim5j7k6VRmswLF1Xe7PfJfAc3NTPI
4GM/0M1Hx/6aOpuZr0BaS1tjH7ks59Q7DQcmM99WN2vXAWzUA5XAXY7I/FIgt2Do
UHdCaBap51jPZAOXqNKTG17s26cvhK8EktEjQ0wDBM3YS6BsPJfoQVqHQuisP5b2
OmOaMyA18orG6cAGnR9WPP3/uJQRh5qF1BcK7ECLgPv91xIxnSQFxNTMQPinLOEw
6U/Be9Rovf7dPM4NPXuE2GQgCOCxoL9IzuSXxZxMh/x1ohyZzlQffe3mz1ObnBmE
6adob+9fRJQcjtRddteMfNGZBkB0oPRa9SYZzkjcnhZBL0/P53luxapXduNqz9UR
R4ze9xGGORIleGbCFKTnTkKIVHjdaWtPY7SW+EOLgLfx98PQRK/OedA+Dpo29gUk
xiXrzm1VHBAzrGlZjSE8uYCJuvXOPKkXM6YuZVXQLD9gVF+x8nwJOAdCU481Mbn4
dyr533ZDTF+b44otOm3Umz1dMxCEXNCCiOldBjhoZ2yk/GDqU2Ico2pEuJsGeOd6
IBXurJ5tCPHbNp7RxGJoN2bPinl3AFrlGwv4sdbA1zdIb3bdKHULPCVpPS+WCT3z
xZ6obLgkIhGaf5aiPnx/XhK+vXBpPoSzQckseTFDyGnmkuF+6cE=
=DbtF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Hide a request header to application
Posted by Olivier Jaquemet <ol...@jalios.com>.
On 16/12/2019 12:25, M. Manna wrote:
>> I would like to systematically hide a request header to web applications
>> hosted by Tomcat.
> "Blanking" or "Unsetting" a header is not the same as "Hiding". By
> hiding, you are essentially asking for the Header to be available under
> certain elevated privilege or conditions. Unless, you meant Unsetting the
> value or removing the header (not "Hiding")?
Hello M. Manna.
I meant Unsetting.
>> [... snip]
>>
>> - Is there any way to apply a similar configuration (no development [2])
>> to Apache Tomcat when there is no front server ?
>> I could not find any built-in valve/filter that would allow such
>> filtering. I don't think there is any, but I wanted to make sure I had
>> not missed something.
>>
> Not to my knowledge. But I don't see why you cannot implement your own
> Valve. Of course, any suggestion is welcome unless someone else has any
> other suggestions?
"I don't see why you cannot implement you own" : Because as stated in my
original post, I am explicitely looking for a solution which does not
requires any developpement.
Thank you for your answer though.
>> [...]
>> [2] I know it is possible to develop a quite simple custom ServletFilter
>> to wrap the request with a custom HttpServletRequest wrapper, but I'm
>> looking for a zero development possibility. For those of your reading
>> this discussion later and looking for a development solution, you can
>> find inspiration in the following github repo that you can adapt to
>> handle removal
>> https://github.com/lonelyplanet/tomcat-request-header-filter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Hide a request header to application
Posted by "M. Manna" <ma...@gmail.com>.
Oliver,
On Mon, 16 Dec 2019 at 11:09, Olivier Jaquemet <ol...@jalios.com>
wrote:
> Hello all,
>
> I would like to systematically hide a request header to web applications
> hosted by Tomcat.
>
> "Blanking" or "Unsetting" a header is not the same as "Hiding". By
hiding, you are essentially asking for the Header to be available under
certain elevated privilege or conditions. Unless, you meant Unsetting the
value or removing the header (not "Hiding")?
> - If Apache HTTPD is used in front of Tomcat, you can use the
> RequestHeader directive [0]:
> RequestHeader unset Some-Header-Name
>
> - If NGINX is used in front of Tomcat, you can use the proxy_set_header
> directive [1]:
> proxy_set_header Some-Header-Name "";
>
> - Is there any way to apply a similar configuration (no development [2])
> to Apache Tomcat when there is no front server ?
> I could not find any built-in valve/filter that would allow such
> filtering. I don't think there is any, but I wanted to make sure I had
> not missed something.
>
> Not to my knowledge. But I don't see why you cannot implement your own
Valve. Of course, any suggestion is welcome unless someone else has any
other suggestions?
> Olivier
>
> [0]
> https://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader
> [1]
> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
> [2] I know it is possible to develop a quite simple custom ServletFilter
> to wrap the request with a custom HttpServletRequest wrapper, but I'm
> looking for a zero development possibility. For those of your reading
> this discussion later and looking for a development solution, you can
> find inspiration in the following github repo that you can adapt to
> handle removal
> https://github.com/lonelyplanet/tomcat-request-header-filter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>