You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Shaik, Mohammad N." <mo...@accenture.com> on 2017/06/01 04:43:19 UTC
RE: [External] Re: Security Headers Implementation in Tomcat 6.x
version
Hi Chris,
What should be name of the new JAR file that I would create for the Filter classes?
There are multiple JAR files in lib folder. Does the name of these JAR files have any significance?
My understanding is that as long as you have your code (.class files) is present in any of the JAR files under "lib" folder, system would get it. You don’t need to have a specific-named JAR files having specific-named .class files. The .class files from all the jar files under lib folder is considered as one big collection, and based on the invoked classname its corresponding .class file gets executed from that big code. Multiple JAR files with different names is setup just for logical classification of classes. Please correct me if this is not right.
- Mohammad
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 31 May 2017 23:52
To: users@tomcat.apache.org
Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mohammad,
On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
> Can I simply use the JAR files from Tomcat 7 that contains executable
> code of filter classes (security headers), and put them into
> corresponding location in Tomcat 6?
Definitely don't do that. But you could probably grab the compiled .class files from Tomcat 7's binary distribution... just make sure you have all of them.
So, basically, create a new JAR file that contains only those Filter classes (don't forget any inner classes that might be found in separate .class files).
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C
jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5
T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ
S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up
Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet
D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i
L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml
XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy
OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3
AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB
aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv
mD63/FtqNHglnYULpUTS
=jN8f
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
Re: [External] Re: Security Headers Implementation in Tomcat 6.x
version
Posted by Olaf Kock <to...@olafkock.de>.
Am 02.06.2017 um 07:43 schrieb Shaik, Mohammad N.:
> Hi Chris, > > My actual requirement was to implement 7 HTTP headers, out of which
4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers
(Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not
addressed in any of the filters available in Tomcat 7, 8 & 9 versions. >
> Is there any way that we implement these 3 headers in Tomcat?
Sure. Look at the implementation for the 4 headers you found. Add three
more, recompile. Alternatively, add another filter just for your 3 headers.
As you're creating a solution for you exclusively, you may even
completely hard code the values and conditions you need. There's no need
for configuration or making it "ready for prime time" as nobody else
will use this code under different circumstances.
Or write your own servlet filter for the webapps you deploy (no need to
go app-server side when the webapps do what's required themselves). In
those servlet filters, set those headers under conditions that you
determine yourself.
Or (again, sorry) utilize httpd's mod_headers.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x
version
Posted by "Shaik, Mohammad N." <mo...@accenture.com>.
Hi Chris,
My actual requirement was to implement 7 HTTP headers, out of which 4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers (Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not addressed in any of the filters available in Tomcat 7, 8 & 9 versions.
Is there any way that we implement these 3 headers in Tomcat?
Regards,
Mohammad
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 01 June 2017 19:59
To: users@tomcat.apache.org
Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mohammad,
On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote:
> What should be name of the new JAR file that I would create for the
> Filter classes?
It doesn't matter.
> There are multiple JAR files in lib folder. Does the name of these JAR
> files have any significance?
Not really.
> My understanding is that as long as you have your code (.class
> files) is present in any of the JAR files under "lib" folder, system
> would get it. You don’t need to have a specific-named JAR files having
> specific-named .class files. The .class files from all the jar files
> under lib folder is considered as one big collection, and based on the
> invoked classname its corresponding .class file gets executed from
> that big code. Multiple JAR files with different names is setup just
> for logical classification of classes. Please correct me if this is
> not right.
You are correct. There are problems if the same class exists in two separate JAR files, but that should not be a problem in the standard Tomcat installation, plus the JAR file that has a few (unique) classes from Tomcat 7 in there.
Remember: Upgrade ASAP.
- -chris
> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: 31 May 2017 23:52 To:
> users@tomcat.apache.org Subject: [External] Re: Security Headers
> Implementation in Tomcat 6.x version
>
> Mohammad,
>
> On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
>> Can I simply use the JAR files from Tomcat 7 that contains executable
>> code of filter classes (security headers), and put them into
>> corresponding location in Tomcat 6?
>
> Definitely don't do that. But you could probably grab the compiled
> .class files from Tomcat 7's binary distribution... just make sure you
> have all of them.
>
> So, basically, create a new JAR file that contains only those Filter
> classes (don't forget any inner classes that might be found in
> separate .class files).
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with
> Accenture policy.
> ______________________________________________________________________
________________
>
> www.accenture.com
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u
kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi
3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx
bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn
aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo
/28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou
gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET
0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y
qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE
/XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju
ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS
HGUlc2U0LgTmSYLe+vj6
=oY0c
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
Re: [External] Re: Security Headers Implementation in Tomcat 6.x
version
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mohammad,
On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote:
> What should be name of the new JAR file that I would create for
> the Filter classes?
It doesn't matter.
> There are multiple JAR files in lib folder. Does the name of these
> JAR files have any significance?
Not really.
> My understanding is that as long as you have your code (.class
> files) is present in any of the JAR files under "lib" folder,
> system would get it. You don’t need to have a specific-named JAR
> files having specific-named .class files. The .class files from all
> the jar files under lib folder is considered as one big collection,
> and based on the invoked classname its corresponding .class file
> gets executed from that big code. Multiple JAR files with different
> names is setup just for logical classification of classes. Please
> correct me if this is not right.
You are correct. There are problems if the same class exists in two
separate JAR files, but that should not be a problem in the standard
Tomcat installation, plus the JAR file that has a few (unique) classes
from Tomcat 7 in there.
Remember: Upgrade ASAP.
- -chris
> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: 31 May 2017 23:52 To:
> users@tomcat.apache.org Subject: [External] Re: Security Headers
> Implementation in Tomcat 6.x version
>
> Mohammad,
>
> On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
>> Can I simply use the JAR files from Tomcat 7 that contains
>> executable code of filter classes (security headers), and put
>> them into corresponding location in Tomcat 6?
>
> Definitely don't do that. But you could probably grab the compiled
> .class files from Tomcat 7's binary distribution... just make sure
> you have all of them.
>
> So, basically, create a new JAR file that contains only those
> Filter classes (don't forget any inner classes that might be found
> in separate .class files).
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If
> you have received it in error, please notify the sender immediately
> and delete the original. Any other use of the e-mail by you is
> prohibited. Where allowed by local law, electronic communications
> with Accenture and its affiliates, including e-mail and instant
> messaging (including content), may be scanned by our systems for
> the purposes of information security and assessment of internal
> compliance with Accenture policy.
> ______________________________________________________________________
________________
>
> www.accenture.com
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u
kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi
3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx
bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn
aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo
/28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou
gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET
0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y
qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE
/XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju
ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS
HGUlc2U0LgTmSYLe+vj6
=oY0c
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org