You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Pham, Mary (NIH/OD/ORS) [E]" <ma...@mail.nih.gov> on 2016/09/14 14:42:30 UTC
Apache TomCat 5.5
Hello EveryOne,
As new bee of Apache. We have been using one of the old Apache TomCat on windows server 2008R2, IIS 7. After we purchased and installed the SSL certificate. We need to apply a header directive in Apache "Strict-Transport-Security" so that our web site would be secured as the Government required. My question is where can I insert this line? In which and where's the files in Apache TomCat 5.5, JDK 8 updated 102. Is it in the same server.xml file as we modified the connector for SSL.
Look forward to hearing from your supports.
Regards,
Mary Pham
Information Technology Specialist
National Institutes of Health Library
Division of Library Services
Office of Research Services
10 Center Drive, Room 1L07, MSC 1150
Bethesda, MD 20892-1150
T. 301.496.1506
marypham@mail.nih.gov<ma...@mail.nih.gov>
Stay connected with the NIH Library
NIH Library: http://nihlibrary.nih.gov<http://nihlibrary.nih.gov/>
Facebook: http://www.facebook.com/nihlibrary
Twitter: http://www.twitter.com/nihlib
Mary Pham, BS
Information Technology Specialist
National Institutes of Health Library
Division of Library Services
Office of Research Services
10 Center Drive, Room 1L07, MSC 1150
Bethesda, MD 20892-1150
T. 301.496.1506
marypham@mail.nih.gov
Stay connected with the NIH Library
NIH Library: http://nihlibrary.nih.gov<http://nihlibrary.nih.gov/>
Facebook: http://www.facebook.com/nihlibrary
Twitter: http://www.twitter.com/nihlib
_____________________________
RE: Apache TomCat 5.5
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Pham, Mary (NIH/OD/ORS) [E] [mailto:marypham@mail.nih.gov]
> Subject: Apache TomCat 5.5
> We have been using one of the old Apache TomCat on windows server 2008R2, IIS 7.
Firstly, it's Tomcat, not TomCat.
> We need to apply a header directive in Apache "Strict-Transport-Security" so that our web site
> would be secured as the Government required.
Your web site is pretty much guaranteed to be _insecure_ as long as you're running that old - and unsupported - version of Tomcat. The last Tomcat 5.5 release was nearly four years ago, and many, many vulnerabilities have been addressed since then. SSL does not protect you against those. You really must upgrade to a supported level (preferably 8.5), after carefully reading the migration guides:
http://tomcat.apache.org/migration.html
Not doing so makes anything else you try pointless.
> My question is where can I insert this line?
As suggested by Daniel, a filter is your best bet - but upgrade Tomcat first. Not doing so leaves you subject to many more liabilities than lack of HSTS.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache TomCat 5.5
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mary,
On 9/21/16 10:51 AM, Pham, Mary (NIH/OD/ORS) [E] wrote:
> Thank you. Chris, Chuck, Andre, Mark who had answered and I've
> done this far. My report.
>
> - I installed the "URL rewrite" module on IIS 7. To make short,
> it worked. http to https redirected then enforced hsts on the IIS
> site. - but broke all the scripts run on Tomcat due to Strick
> Transport Security when HTTPS. - so I have to disable in/outbound
> of URL rewrite.
>
> Back to square one. We will not be able to upgrade Tomcat at this
> time.
So you have several requirements, here:
1. Stay on Tomcat 5.5
2. Implement HSTS
3. Have your scripts all work
It sounds like #2 and #3 conflict, since evidently HSTS "broke all the
scripts to run on Tomcat".
Your only option is to fix your application so that it will work with
HSTS enabled.
Upgrading Tomcat doesn't really have any bearing on any of this, since
you could upgrade Tomcat and still not enable HSTS.
- -chris
> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: Thursday, September 15,
> 2016 11:01 AM To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Apache TomCat 5.5
>
> Andr�,
>
> On 9/14/16 7:04 PM, Andr� Warnier (tomcat) wrote:
>> Mary, have a look here :
>> http://tomcat.apache.org/whichversion.html Tomcat 5.5 was first
>> released about 10 years ago, and the last modification to it was
>> in 2012. The current "stable" version is Tomcat 8.5.5.
>
>> For Open Source and free software such as Apache Tomcat, that
>> means that your chances of getting support and help for such an
>> old version are really not good, because most of the people which
>> would be able to help you probably do not run that version
>> anywhere anymore. Even the documentation is not directly
>> available on-line anymore.
>
>> Regarding your particular issue, it is even possible that the
>> requirement which you are mentioning is younger than Tomcat 5.5
>> and cannot be met by such an old software version. It is even
>> likely that, considering the age of your Tomcat and the age of
>> the Java JVM it is probably running under, there are a whole lot
>> of other security issues with your server, which make it
>> impossible to make it "secure as the government requires".
>
>> What I am saying is that you are probably wasting your time, and
>> ultimately your employer's time, with this approach.
>
>> You seem to mention below that you are using Tomcat "with IIS".
>> Maybe this IIS is a front-end to Tomcat, and users access Tomcat
>> always through IIS. If so, then as long as the connection
>> between IIS and Tomcat is secure (e.g. they run on the same
>> host), then you should probably take care of the SSL/HTTPS (and
>> header) aspect on the IIS front-end. That is, if you /really/
>> cannot upgrade Tomcat and if your applications /really/ do not
>> run under a newer version of Tomcat and Java.
>
> HSTS is just an HTTP header thing. It can be deployed on any
> version of anything basically back until the beginning of (HTTP)
> time.
>
> It's slightly easier to do with more recent Tomcats because of the
> inclusion of both the HTTP Header Security Filter[1] and the
> rewrite valve[2] (oddly not mentioned in the "Valves" section of
> the "Configuration" reference), but anyone can write a simple
> Filter and add it to their web application to add these headers. In
> fact, I wouldn't surprised if Tomcat's HTTP Header Security Filter
> included with Tomcat 8+ would work just fine on Tomcat 5.5. You
> just need to grab the code, compile it, and drop it into your own
> application.
>
> Since you mentioned IIS, I think you're right that IIS is probably
> a better place to configure these HSTS headers.
>
> Mary, ultimately, Tomcat 5.5 should definitely be upgraded to
> Tomcat 8 or later. You should take your web application and deploy
> it on Tomcat 8.0 or Tomcat 8.5 in a testing environment and just
> see what happens. You might be surprised: it will probably with
> right away without any modifications.
>
> Hope that helps, -chris
>
> [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJX4rkBAAoJEBzwKT+lPKRYa6cP/jtLjcSwgDchFVib86/5NJ1z
b4Sb6v0M+0XXTej5FUBe7YUWpBSsuwl/XqOwvuqP+JtPaUMHLdUIK4S3MEw6r1UT
ap/xXqneQK+U9lZEloMWpvCcXKfxKVrhx4ZsOqNWOS4KqHTklcnJmtqFpdmgvPdq
dfkszeP+WAGF/ojC8SUSYpZlYtzqvKjS3OLiMnk2DM/vxfx1bM9rlE4vTBhKnigS
jaj1VPH/q0IlxflVqw9nua5imvqCJ0Ptdz4eOrMeRCKhpLqVfnRBxowZ2A7bNXBk
ls23UmdgKrgUVGkrEuvsdZYESYLU4Ij8C+rsJxE+sWPxWEBJTuu0qKLR9q41wLWQ
0aovoRJS9gmsDTzByoGZCDZimBEKDM8AKmlKHNdtK4J6fGMNOmzMuuVc+wLKL4P6
s5RBI3haI4TTJxrWkaznvGG4BQbKAqbZ7M0Uct/xivbqo1XoMwJsHw89scW+SPd/
N/b9KdQkr7LBOq6D3n1G7AgHPC/0MwUVL6IfSN7ycT5eepky98Q2UGKi8hm7npTD
1/jEgQOATQCYs91cyM8yZB30Tdfi9/SUG7y/aEvsXFbOZWK2v5C1TB8/CAUY0Ayo
R/3/PK3V/iM+4Yw1Tf4t7Jn6T2I+vMvuyMGzqm4BKKi2/GbgnaNnv9L0HbhSZZtI
d3/B5DfASBU69cr3j6Ue
=gDm3
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Apache TomCat 5.5
Posted by Jeffrey Janner <Je...@PolyDyne.com>.
Mary -
First, sorry for the top-post.
I noticed in your original post that you have upgraded to the latest Java 8, and nearly latest Windows version (at least new than the release available when Tomcat 5.5 was first available). I don't understand why you can't just go ahead and upgrade to the latest Tomcat 8 or 8.5 implementation. As others have said, it is quite likely that your application will run just fine.
Without more details of your exact implementation environment, I can't give full advice, but here are some things to take into account:
1) If you are terminating SSL at the IIS7 client interface, then that is where you need to enable HSTS. It only needs to be on the IIS7-Tomcat conversation if that is also using SSL on its linkage (not normally needed for an internal network, but your requirements may specify otherwise). Strip it out of headers on the way to Tomcat and add it back on the way to client if necessary.
2) When going from such an old Version of Tomcat to a newer one, be aware that Tomcat configuration files and options HAVE changed. You cannot just copy server.xml, context.xml, etc. files from the old version to the new. You must migrate your settings to the new versions. This is not that difficult or time-consuming, but it is best to do this manually.
3) Beware of any changes to provided valves/filters that you rely on. Changes to those in new versions may require you to handle them differently.
4) Do this all in a test/dev environment, possibly several times, before even thinking about changing production.
5) If the addition of an additional/unknown HTTP header is causing problems with your backend processing, then you have more problems than you think you do. You application is in violation of the most basic tenets of the HTTP protocol stack, as those headers should just be ignored according to the protocol. Your application may stop working correctly in the next few months even without you doing anything to your current setup.
Respectfully,
Jeff
> -----Original Message-----
> From: Pham, Mary (NIH/OD/ORS) [E] [mailto:marypham@mail.nih.gov]
> Sent: Wednesday, September 21, 2016 9:52 AM
> To: 'Tomcat Users List' <us...@tomcat.apache.org>
> Subject: RE: Apache TomCat 5.5
>
> Thank you. Chris, Chuck, Andre, Mark who had answered and I've done
> this far.
> My report.
> - I installed the "URL rewrite" module on IIS 7. To make short, it
> worked. http to https redirected then enforced hsts on the IIS site.
> - but broke all the scripts run on Tomcat due to Strick Transport
> Security when HTTPS.
> - so I have to disable in/outbound of URL rewrite.
> Back to square one. We will not be able to upgrade Tomcat at this time.
>
> Please help.
>
> -Mary
>
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Thursday, September 15, 2016 11:01 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Apache TomCat 5.5
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> André,
>
> On 9/14/16 7:04 PM, André Warnier (tomcat) wrote:
> > Mary, have a look here :
> > http://tomcat.apache.org/whichversion.html Tomcat 5.5 was first
> > released about 10 years ago, and the last modification to it was in
> > 2012. The current "stable" version is Tomcat 8.5.5.
> >
> > For Open Source and free software such as Apache Tomcat, that means
> > that your chances of getting support and help for such an old version
> > are really not good, because most of the people which would be able to
> > help you probably do not run that version anywhere anymore. Even the
> > documentation is not directly available on-line anymore.
> >
> > Regarding your particular issue, it is even possible that the
> > requirement which you are mentioning is younger than Tomcat 5.5 and
> > cannot be met by such an old software version. It is even likely that,
> > considering the age of your Tomcat and the age of the Java JVM it is
> > probably running under, there are a whole lot of other security issues
> > with your server, which make it impossible to make it "secure as the
> > government requires".
> >
> > What I am saying is that you are probably wasting your time, and
> > ultimately your employer's time, with this approach.
> >
> > You seem to mention below that you are using Tomcat "with IIS".
> > Maybe this IIS is a front-end to Tomcat, and users access Tomcat
> > always through IIS. If so, then as long as the connection between IIS
> > and Tomcat is secure (e.g. they run on the same host), then you should
> > probably take care of the SSL/HTTPS (and header) aspect on the IIS
> > front-end. That is, if you /really/ cannot upgrade Tomcat and if your
> > applications /really/ do not run under a newer version of Tomcat and
> > Java.
>
> HSTS is just an HTTP header thing. It can be deployed on any version of
> anything basically back until the beginning of (HTTP) time.
>
> It's slightly easier to do with more recent Tomcats because of the
> inclusion of both the HTTP Header Security Filter[1] and the rewrite
> valve[2] (oddly not mentioned in the "Valves" section of the
> "Configuration" reference), but anyone can write a simple Filter and add
> it to their web application to add these headers. In fact, I wouldn't
> surprised if Tomcat's HTTP Header Security Filter included with Tomcat
> 8+ would work just fine on Tomcat 5.5. You just need to grab the code,
> compile it, and drop it into your own application.
>
> Since you mentioned IIS, I think you're right that IIS is probably a
> better place to configure these HSTS headers.
>
> Mary, ultimately, Tomcat 5.5 should definitely be upgraded to Tomcat 8
> or later. You should take your web application and deploy it on Tomcat
> 8.0 or Tomcat 8.5 in a testing environment and just see what happens.
> You might be surprised: it will probably with right away without any
> modifications.
>
> Hope that helps,
> - -chris
>
> [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
> [2] http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJX2reWAAoJEBzwKT+lPKRYp7MQAJ6nRq3m47o2BEX6nwTBNFFb
> lcOfn/2L0dTfhESp/7EHqAcJaTvCHT6JH+RKplQ4gito4cJ8F2tp0HBiLRNukxjB
> dxnZL7q5j6Z/41vrLMWX94WI4zz1PMqlhrEMI0/pEtRQFx07h0aE7WLp4CY6JMTl
> dCGcuqkEgzNmjL1se+3+Aj3uVd0QAYESfT24AbLK0MHyrkmtIhRfr8W03C/ouD8M
> 9xcZ9f9BemvneI2zwiUelXaTvE4sCkPf3ULp/xw0MNYGLgl6VS8yByt1KwQsFzal
> YPK+UL+k/JK6sxvGpsVLTvmY6StWYXOJZzp4C38YHxj7L5exDpDc/gCAClGm5kM/
> uS1vVLL8jlkxby6k3mk5eU43M/HZkgAL+3FNjYCOcnvlsyJKsvQ9qai7Mal2N1Zt
> jolFNDZCxWxfXLBPM/BLnfaYTYS6FXWZmAT5QrbnqAoxG9iKWsiMloPym8xdO36+
> vIxOeNevWZif7MbpRUw84oOtcCAm1aZcyjXjwxQwWNciczocZg8d3DSJY53wqcrL
> nAx5zVbxE5h3nBKSuuNl3s1WGXf7hySYxWyCg7Ya67EsGGeDT1rlLaotXI8PdKOL
> qB32fz6PRJZspxJDefQGSHWrjq3gBAqeNFzp/3vj9tmvdCDkdzT0xNJH9s/6YGVE
> 7whnGB6jlseII/fYe6s1
> =hetE
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Apache TomCat 5.5
Posted by "Pham, Mary (NIH/OD/ORS) [E]" <ma...@mail.nih.gov>.
Thank you. Chris, Chuck, Andre, Mark who had answered and I've done this far.
My report.
- I installed the "URL rewrite" module on IIS 7. To make short, it worked. http to https redirected then enforced hsts on the IIS site.
- but broke all the scripts run on Tomcat due to Strick Transport Security when HTTPS.
- so I have to disable in/outbound of URL rewrite.
Back to square one. We will not be able to upgrade Tomcat at this time.
Please help.
-Mary
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Thursday, September 15, 2016 11:01 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Apache TomCat 5.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
André,
On 9/14/16 7:04 PM, André Warnier (tomcat) wrote:
> Mary, have a look here :
> http://tomcat.apache.org/whichversion.html Tomcat 5.5 was first
> released about 10 years ago, and the last modification to it was in
> 2012. The current "stable" version is Tomcat 8.5.5.
>
> For Open Source and free software such as Apache Tomcat, that means
> that your chances of getting support and help for such an old version
> are really not good, because most of the people which would be able to
> help you probably do not run that version anywhere anymore. Even the
> documentation is not directly available on-line anymore.
>
> Regarding your particular issue, it is even possible that the
> requirement which you are mentioning is younger than Tomcat 5.5 and
> cannot be met by such an old software version. It is even likely that,
> considering the age of your Tomcat and the age of the Java JVM it is
> probably running under, there are a whole lot of other security issues
> with your server, which make it impossible to make it "secure as the
> government requires".
>
> What I am saying is that you are probably wasting your time, and
> ultimately your employer's time, with this approach.
>
> You seem to mention below that you are using Tomcat "with IIS".
> Maybe this IIS is a front-end to Tomcat, and users access Tomcat
> always through IIS. If so, then as long as the connection between IIS
> and Tomcat is secure (e.g. they run on the same host), then you should
> probably take care of the SSL/HTTPS (and header) aspect on the IIS
> front-end. That is, if you /really/ cannot upgrade Tomcat and if your
> applications /really/ do not run under a newer version of Tomcat and
> Java.
HSTS is just an HTTP header thing. It can be deployed on any version of anything basically back until the beginning of (HTTP) time.
It's slightly easier to do with more recent Tomcats because of the inclusion of both the HTTP Header Security Filter[1] and the rewrite valve[2] (oddly not mentioned in the "Valves" section of the "Configuration" reference), but anyone can write a simple Filter and add it to their web application to add these headers. In fact, I wouldn't surprised if Tomcat's HTTP Header Security Filter included with Tomcat 8+ would work just fine on Tomcat 5.5. You just need to grab the code, compile it, and drop it into your own application.
Since you mentioned IIS, I think you're right that IIS is probably a better place to configure these HSTS headers.
Mary, ultimately, Tomcat 5.5 should definitely be upgraded to Tomcat 8 or later. You should take your web application and deploy it on Tomcat
8.0 or Tomcat 8.5 in a testing environment and just see what happens.
You might be surprised: it will probably with right away without any modifications.
Hope that helps,
- -chris
[1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
[2] http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJX2reWAAoJEBzwKT+lPKRYp7MQAJ6nRq3m47o2BEX6nwTBNFFb
lcOfn/2L0dTfhESp/7EHqAcJaTvCHT6JH+RKplQ4gito4cJ8F2tp0HBiLRNukxjB
dxnZL7q5j6Z/41vrLMWX94WI4zz1PMqlhrEMI0/pEtRQFx07h0aE7WLp4CY6JMTl
dCGcuqkEgzNmjL1se+3+Aj3uVd0QAYESfT24AbLK0MHyrkmtIhRfr8W03C/ouD8M
9xcZ9f9BemvneI2zwiUelXaTvE4sCkPf3ULp/xw0MNYGLgl6VS8yByt1KwQsFzal
YPK+UL+k/JK6sxvGpsVLTvmY6StWYXOJZzp4C38YHxj7L5exDpDc/gCAClGm5kM/
uS1vVLL8jlkxby6k3mk5eU43M/HZkgAL+3FNjYCOcnvlsyJKsvQ9qai7Mal2N1Zt
jolFNDZCxWxfXLBPM/BLnfaYTYS6FXWZmAT5QrbnqAoxG9iKWsiMloPym8xdO36+
vIxOeNevWZif7MbpRUw84oOtcCAm1aZcyjXjwxQwWNciczocZg8d3DSJY53wqcrL
nAx5zVbxE5h3nBKSuuNl3s1WGXf7hySYxWyCg7Ya67EsGGeDT1rlLaotXI8PdKOL
qB32fz6PRJZspxJDefQGSHWrjq3gBAqeNFzp/3vj9tmvdCDkdzT0xNJH9s/6YGVE
7whnGB6jlseII/fYe6s1
=hetE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache TomCat 5.5
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Andr�,
On 9/14/16 7:04 PM, Andr� Warnier (tomcat) wrote:
> Mary, have a look here :
> http://tomcat.apache.org/whichversion.html Tomcat 5.5 was first
> released about 10 years ago, and the last modification to it was in
> 2012. The current "stable" version is Tomcat 8.5.5.
>
> For Open Source and free software such as Apache Tomcat, that means
> that your chances of getting support and help for such an old
> version are really not good, because most of the people which would
> be able to help you probably do not run that version anywhere
> anymore. Even the documentation is not directly available on-line
> anymore.
>
> Regarding your particular issue, it is even possible that the
> requirement which you are mentioning is younger than Tomcat 5.5
> and cannot be met by such an old software version. It is even
> likely that, considering the age of your Tomcat and the age of the
> Java JVM it is probably running under, there are a whole lot of
> other security issues with your server, which make it impossible to
> make it "secure as the government requires".
>
> What I am saying is that you are probably wasting your time, and
> ultimately your employer's time, with this approach.
>
> You seem to mention below that you are using Tomcat "with IIS".
> Maybe this IIS is a front-end to Tomcat, and users access Tomcat
> always through IIS. If so, then as long as the connection between
> IIS and Tomcat is secure (e.g. they run on the same host), then you
> should probably take care of the SSL/HTTPS (and header) aspect on
> the IIS front-end. That is, if you /really/ cannot upgrade Tomcat
> and if your applications /really/ do not run under a newer version
> of Tomcat and Java.
HSTS is just an HTTP header thing. It can be deployed on any version
of anything basically back until the beginning of (HTTP) time.
It's slightly easier to do with more recent Tomcats because of the
inclusion of both the HTTP Header Security Filter[1] and the rewrite
valve[2] (oddly not mentioned in the "Valves" section of the
"Configuration" reference), but anyone can write a simple Filter and
add it to their web application to add these headers. In fact, I
wouldn't surprised if Tomcat's HTTP Header Security Filter included
with Tomcat 8+ would work just fine on Tomcat 5.5. You just need to
grab the code, compile it, and drop it into your own application.
Since you mentioned IIS, I think you're right that IIS is probably a
better place to configure these HSTS headers.
Mary, ultimately, Tomcat 5.5 should definitely be upgraded to Tomcat 8
or later. You should take your web application and deploy it on Tomcat
8.0 or Tomcat 8.5 in a testing environment and just see what happens.
You might be surprised: it will probably with right away without any
modifications.
Hope that helps,
- -chris
[1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
[2] http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJX2reWAAoJEBzwKT+lPKRYp7MQAJ6nRq3m47o2BEX6nwTBNFFb
lcOfn/2L0dTfhESp/7EHqAcJaTvCHT6JH+RKplQ4gito4cJ8F2tp0HBiLRNukxjB
dxnZL7q5j6Z/41vrLMWX94WI4zz1PMqlhrEMI0/pEtRQFx07h0aE7WLp4CY6JMTl
dCGcuqkEgzNmjL1se+3+Aj3uVd0QAYESfT24AbLK0MHyrkmtIhRfr8W03C/ouD8M
9xcZ9f9BemvneI2zwiUelXaTvE4sCkPf3ULp/xw0MNYGLgl6VS8yByt1KwQsFzal
YPK+UL+k/JK6sxvGpsVLTvmY6StWYXOJZzp4C38YHxj7L5exDpDc/gCAClGm5kM/
uS1vVLL8jlkxby6k3mk5eU43M/HZkgAL+3FNjYCOcnvlsyJKsvQ9qai7Mal2N1Zt
jolFNDZCxWxfXLBPM/BLnfaYTYS6FXWZmAT5QrbnqAoxG9iKWsiMloPym8xdO36+
vIxOeNevWZif7MbpRUw84oOtcCAm1aZcyjXjwxQwWNciczocZg8d3DSJY53wqcrL
nAx5zVbxE5h3nBKSuuNl3s1WGXf7hySYxWyCg7Ya67EsGGeDT1rlLaotXI8PdKOL
qB32fz6PRJZspxJDefQGSHWrjq3gBAqeNFzp/3vj9tmvdCDkdzT0xNJH9s/6YGVE
7whnGB6jlseII/fYe6s1
=hetE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache TomCat 5.5
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
Mary,
have a look here : http://tomcat.apache.org/whichversion.html
Tomcat 5.5 was first released about 10 years ago, and the last modification to it was in 2012.
The current "stable" version is Tomcat 8.5.5.
For Open Source and free software such as Apache Tomcat, that means that your chances of
getting support and help for such an old version are really not good, because most of the
people which would be able to help you probably do not run that version anywhere anymore.
Even the documentation is not directly available on-line anymore.
Regarding your particular issue, it is even possible that the requirement which you are
mentioning is younger than Tomcat 5.5 and cannot be met by such an old software version.
It is even likely that, considering the age of your Tomcat and the age of the Java JVM it
is probably running under, there are a whole lot of other security issues with your
server, which make it impossible to make it "secure as the government requires".
What I am saying is that you are probably wasting your time, and ultimately your
employer's time, with this approach.
You seem to mention below that you are using Tomcat "with IIS". Maybe this IIS is a
front-end to Tomcat, and users access Tomcat always through IIS.
If so, then as long as the connection between IIS and Tomcat is secure (e.g. they run on
the same host), then you should probably take care of the SSL/HTTPS (and header) aspect on
the IIS front-end.
That is, if you /really/ cannot upgrade Tomcat and if your applications /really/ do not
run under a newer version of Tomcat and Java.
On 14.09.2016 20:49, Pham, Mary (NIH/OD/ORS) [E] wrote:
> Hi Daniel,
>
> A new bee has to learn on an outdated systems! We cann't up upgrade due to dependency of apps and forms, that's what I've learned.
> Thank you for the link. To be honest I do not know what to do yet. I've checked and seen several web.xml files, in different directories....Some I think is original, some had modified.
>
> Regards,
>
> -Mary
>
> -----Original Message-----
> From: Daniel Kppers [mailto:daniel@tetralog.com]
> Sent: Wednesday, September 14, 2016 11:17 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Apache TomCat 5.5
>
>
>> Hello EveryOne,
>>
>> As new bee of Apache. We have been using one of the old Apache TomCat on windows server 2008R2, IIS 7. After we purchased and installed the SSL certificate. We need to apply a header directive in Apache "Strict-Transport-Security" so that our web site would be secured as the Government required. My question is where can I insert this line? In which and where's the files in Apache TomCat 5.5, JDK 8 updated 102. Is it in the same server.xml file as we modified the connector for SSL.
>> Look forward to hearing from your supports.
>>
>> Regards,
>>
>>
>> Mary Pham
>> Information Technology Specialist
>> National Institutes of Health Library
>> Division of Library Services
>> Office of Research Services
>> 10 Center Drive, Room 1L07, MSC 1150
>> Bethesda, MD 20892-1150
>> T. 301.496.1506
>> marypham@mail.nih.gov<ma...@mail.nih.gov>
> Hello Mary,
>
> you are using a quite outdated tomcat. A quick googling brought me to stackoverflow, which might solve the problem for your tomcat 5.5. the easiest way possible is to add a filter to your webapp and apply the HSTS header in the response. You can make use of the buildin HSTS support, if its possible to upgrade your tomcat to a recent version.
> Related SO-Question:
> http://stackoverflow.com/questions/27541755/add-hsts-feature-to-tomcat
>
> Best regards,
>
> Daniel
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Apache TomCat 5.5
Posted by "Pham, Mary (NIH/OD/ORS) [E]" <ma...@mail.nih.gov>.
Hi Daniel,
A new bee has to learn on an outdated systems! We cann't up upgrade due to dependency of apps and forms, that's what I've learned.
Thank you for the link. To be honest I do not know what to do yet. I've checked and seen several web.xml files, in different directories....Some I think is original, some had modified.
Regards,
-Mary
-----Original Message-----
From: Daniel Küppers [mailto:daniel@tetralog.com]
Sent: Wednesday, September 14, 2016 11:17 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Apache TomCat 5.5
> Hello EveryOne,
>
> As new bee of Apache. We have been using one of the old Apache TomCat on windows server 2008R2, IIS 7. After we purchased and installed the SSL certificate. We need to apply a header directive in Apache "Strict-Transport-Security" so that our web site would be secured as the Government required. My question is where can I insert this line? In which and where's the files in Apache TomCat 5.5, JDK 8 updated 102. Is it in the same server.xml file as we modified the connector for SSL.
> Look forward to hearing from your supports.
>
> Regards,
>
>
> Mary Pham
> Information Technology Specialist
> National Institutes of Health Library
> Division of Library Services
> Office of Research Services
> 10 Center Drive, Room 1L07, MSC 1150
> Bethesda, MD 20892-1150
> T. 301.496.1506
> marypham@mail.nih.gov<ma...@mail.nih.gov>
Hello Mary,
you are using a quite outdated tomcat. A quick googling brought me to stackoverflow, which might solve the problem for your tomcat 5.5. the easiest way possible is to add a filter to your webapp and apply the HSTS header in the response. You can make use of the buildin HSTS support, if its possible to upgrade your tomcat to a recent version.
Related SO-Question:
http://stackoverflow.com/questions/27541755/add-hsts-feature-to-tomcat
Best regards,
Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache TomCat 5.5
Posted by Daniel Küppers <da...@tetralog.com>.
> Hello EveryOne,
>
> As new bee of Apache. We have been using one of the old Apache TomCat on windows server 2008R2, IIS 7. After we purchased and installed the SSL certificate. We need to apply a header directive in Apache "Strict-Transport-Security" so that our web site would be secured as the Government required. My question is where can I insert this line? In which and where's the files in Apache TomCat 5.5, JDK 8 updated 102. Is it in the same server.xml file as we modified the connector for SSL.
> Look forward to hearing from your supports.
>
> Regards,
>
>
> Mary Pham
> Information Technology Specialist
> National Institutes of Health Library
> Division of Library Services
> Office of Research Services
> 10 Center Drive, Room 1L07, MSC 1150
> Bethesda, MD 20892-1150
> T. 301.496.1506
> marypham@mail.nih.gov<ma...@mail.nih.gov>
Hello Mary,
you are using a quite outdated tomcat. A quick googling brought me to
stackoverflow, which might solve the problem for your tomcat 5.5. the
easiest way possible is to add a filter to your webapp and apply the
HSTS header in the response. You can make use of the buildin HSTS
support, if its possible to upgrade your tomcat to a recent version.
Related SO-Question:
http://stackoverflow.com/questions/27541755/add-hsts-feature-to-tomcat
Best regards,
Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org