You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Shaik, Mohammad N." <mo...@accenture.com> on 2017/05/29 05:59:03 UTC
Security Headers Implementation in Tomcat 6.x version
Hello,
We are using Tomcat 6.x version and we need to implement the following headers in our environment.
Headers:
1) Strict-Transport-Security
2) Content-Security-Policy
3) Public-Key-Pins
4) X-Frame-Options
5) X-XSS-Protection
6) X-Content-Type-Options
7) X-Robots-Tag
When I checked the Tomcat 6 version webpage (https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html), I don't see any filters that implement any these headers. Some of them are available in Tomcat 7 version webpage (https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html), but we cannot upgrade to Tomcat 7.x version due to some constraints.
Can you kindly guide me how to implement these headers in Tomcat 6.x version. All your comments on this topic are welcome.
Kind Regards,
Mohammad Nayeem
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
Re: Security Headers Implementation in Tomcat 6.x version
Posted by Violeta Georgieva <vi...@apache.org>.
Hi,
2017-05-31 13:34 GMT+03:00 Shaik, Mohammad N. <
mohammad.n.shaik@accenture.com>:
>
> Hi Chris,
>
> I got the source files (.java) of the filter classes that I was looking
for.
>
> Should we compile the source file against the servlet jar file(s) present
in "[Tomcat]\lib\"
Yes.
Compile them against the jar files located in Tomcat/lib.
The servlet API classes will be loaded from Tomcat/lib a.k.a. common
loader. More you can find here:
http://tomcat.apache.org/tomcat-6.0-doc/class-loader-howto.html#Class_Loader_Definitions
- Common — This class loader contains additional classes that are made
visible to both Tomcat internal classes and to all web applications.
- WebappX — A class loader is created for each web application that is
deployed in a single Tomcat instance.
> or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there are
multiple JAR files in both these locations. How to locate the exact JAR
file which should be used to compile source files?
>
> My understanding is that as long as you have your code (.class files) in
any of the JAR files under "lib" folder, system would get it. You don’t
need to have specific code in specific JAR file. Code from all the jar
files under lib folder is considered as one big code, and based on the
class invoked its corresponding code gets executed from that one big code.
Please correct me if this is not right.
>
> Also, should we include the filters in web.xml file under
"[Tomcat]\conf\" folder or under "WEB-INF" folder of my application?
The web.xml located in Tomcat/conf is the "global" one. The configurations
there will be applied to every web application deployed on the Tomcat
instance. So if you need to apply this filter to all web apps then place
the definition and configurations there. Otherwise you can provide the
filter definition and configurations in the WEB-INF/web.xml for a
particular web app.
Regards,
Violeta
>
>
> Regards,
> Mohammad
>
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: 30 May 2017 21:06
> To: users@tomcat.apache.org
> Subject: Re: Security Headers Implementation in Tomcat 6.x version
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Mohammad,
>
> On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> > Thanks for the valuable input, that helps!! We shall go with getting
> > the source package of Tomcat 7, put them in Tomcat 6 and use the
> > filters of Tomcat 7 in Tomcat 6.
> >
> > Can you please let me know from where I can get/download the source
> > package of Tomcat 7? Also can you please share the location of the
> > source package in Tomcat 6 so that we can replace it with the one from
> > Tomcat 7?
>
> The source download for Tomcat 7 is in the same place all the other
downloads are.
>
> You will not need the source for Tomcat 6, nor will you need to build the
complete source-to-binary for Tomcat 7. Just grab the source, take the
classes you need, and compile them against the servlet JAR you already have
for Tomcat 6. Feel free to re-name the packages if they are awkward for you
to compile/install and then just reference the new class names in your
application/server.
>
> Remember to watch for patches to those source files in Tomcat 7 in case
they include e.g. security updates -- you'll want to apply those same
updates to the code you have taken from Tomcat 7.
>
> A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is
backward-compatible with all spec-compliant applications, though it does
behave differently sometimes as the Servlet Experts Group has clarified
certain questions or added new capabilities (like annotation-processing). I
recommend a long period of testing with a new version of Tomcat, but I also
recommend that you begin that testing as soon as possible. Tomcat 6 will
probably receive *no further updates, security or otherwise*, even if a
vulnerability is foun d.
>
> - -chris
>
> > -----Original Message----- From: Christopher Schultz
> > [mailto:chris@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> > users@tomcat.apache.org Subject: Re: Security Headers Implementation
> > in Tomcat 6.x version
> >
> > Mohammad,
> >
> > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> >> Based on your inputs, we are thinking to put Apache httpd in front of
> >> Tomcat 6 server, since our header configuration is going to be
> >> static.
> >
> > This might not be a bad idea for a number of reasons, but it is by no
> > means required.
> >
> > You can download the Tomcat 7 source package and use the security
> > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
> > actually requires Tomcat 7 to run.
> >
> >> Can you please help us in identifying which version of Apache HTTP
> >> Server we can use for Tomcat 6 version? Also, it will be great if you
> >> can share some guidelines on how to implement Apache in front of
> >> Tomcat.
> > All supported versions of Apache web server work with app supported
> > versions of Tomcat (as well as Tomcat 6). You have several choices for
> > how to connect them together, but the most straightforward is to use
> > mod_proxy_http from httpd to Tomcat.
> > Tomcat behaves exactly as it did before and requires no additional
> > configuration unless you are moving TLS termination from Tomcat to
> > httpd. If that's the case, there are many guides on the web as well as
> > on Tomcat's Presentations Page[2] that document how to do that.
> >
> > Hope that helps, -chris
> >
> > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> > http://tomcat.apache.org/presentations.html
> >
> > ---------------------------------------------------------------------
> >
> >
> >
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you
> > have received it in error, please notify the sender immediately and
> > delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging (including
> > content), may be scanned by our systems for the purposes of
> > information security and assessment of internal compliance with
> > Accenture policy.
> > ______________________________________________________________________
> ________________
> >
> >
> >
> www.accenture.com
> >
> > ---------------------------------------------------------------------
> >
> >
> >
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJZLZFGAAoJEBzwKT+lPKRYFlEQAMWx2/ngj4vEeoQfZU4rRFlH
> 1Mscn61MUFJdrVBFkVF+NR86m8clUt8Kw1MKZNGexMXcKjrIllqnVPJUQxjyvgai
> bsDndUDGT/BrFtyLWg8B68mUok+X3dcv4NrhokRQ4phpKM4vADIl6bqi6Uxmp1sX
> rRyjx0ZGnKTKEw2rJgAzp22OP7OURz5eyOayMNLBvCFcXBNLagC9uhuCuG39Hhjx
> 9FBjDZZDuFbLpWSH65pakWwU0vhcl2D45641n5dKwEyAsOPdrdJMBrjIE/ruj6/R
> pkxgawkIHTIWBdq9DoJzTZjD4opnsowlYpLwE7SrTQ7zy8YJ+9Pr2YoKZhBWsh+g
> Fd0F0FprIfWV7V7hQosY/q2yFgMBHBRlnLVO3n9ZdzWW0Wl8+YZNDI0svuEBzP6T
> U6YgnaUtm35XroBUyaYCA5ucjMbiY4S8ow0O7+8fHPjYmA4LDlGz5QLZdhiIsvtk
> ceoHWYy5hFlRyo2PXbmHSzkpOU6AJ7naGxesjKJL5XK+VN3Bh+JdUgi6NnQOgov3
> 984q7QAMB5ngdKwfW2/96pCLvSoMptSST653bGI8eDbt8byIivZEkXuRg1P3Pk/a
> ygRahHV7GxLHIZczAOoNspZxXlaDOBrgpSUZ+Yo31byBS+e4l7MRjKIDGElS51GP
> E6i6GV+37TsmOyY2aObW
> =OejA
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise confidential information. If you have
received it in error, please notify the sender immediately and delete the
original. Any other use of the e-mail by you is prohibited. Where allowed
by local law, electronic communications with Accenture and its affiliates,
including e-mail and instant messaging (including content), may be scanned
by our systems for the purposes of information security and assessment of
internal compliance with Accenture policy.
>
______________________________________________________________________________________
>
> www.accenture.com
RE: Security Headers Implementation in Tomcat 6.x version
Posted by "Shaik, Mohammad N." <mo...@accenture.com>.
Hi Chris,
I got the source files (.java) of the filter classes that I was looking for.
Should we compile the source file against the servlet jar file(s) present in "[Tomcat]\lib\" or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there are multiple JAR files in both these locations. How to locate the exact JAR file which should be used to compile source files?
My understanding is that as long as you have your code (.class files) in any of the JAR files under "lib" folder, system would get it. You don’t need to have specific code in specific JAR file. Code from all the jar files under lib folder is considered as one big code, and based on the class invoked its corresponding code gets executed from that one big code. Please correct me if this is not right.
Also, should we include the filters in web.xml file under "[Tomcat]\conf\" folder or under "WEB-INF" folder of my application?
Regards,
Mohammad
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 30 May 2017 21:06
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mohammad,
On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> Thanks for the valuable input, that helps!! We shall go with getting
> the source package of Tomcat 7, put them in Tomcat 6 and use the
> filters of Tomcat 7 in Tomcat 6.
>
> Can you please let me know from where I can get/download the source
> package of Tomcat 7? Also can you please share the location of the
> source package in Tomcat 6 so that we can replace it with the one from
> Tomcat 7?
The source download for Tomcat 7 is in the same place all the other downloads are.
You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server.
Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7.
A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d.
- -chris
> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> users@tomcat.apache.org Subject: Re: Security Headers Implementation
> in Tomcat 6.x version
>
> Mohammad,
>
> On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
>> Based on your inputs, we are thinking to put Apache httpd in front of
>> Tomcat 6 server, since our header configuration is going to be
>> static.
>
> This might not be a bad idea for a number of reasons, but it is by no
> means required.
>
> You can download the Tomcat 7 source package and use the security
> filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
> actually requires Tomcat 7 to run.
>
>> Can you please help us in identifying which version of Apache HTTP
>> Server we can use for Tomcat 6 version? Also, it will be great if you
>> can share some guidelines on how to implement Apache in front of
>> Tomcat.
> All supported versions of Apache web server work with app supported
> versions of Tomcat (as well as Tomcat 6). You have several choices for
> how to connect them together, but the most straightforward is to use
> mod_proxy_http from httpd to Tomcat.
> Tomcat behaves exactly as it did before and requires no additional
> configuration unless you are moving TLS termination from Tomcat to
> httpd. If that's the case, there are many guides on the web as well as
> on Tomcat's Presentations Page[2] that document how to do that.
>
> Hope that helps, -chris
>
> [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> http://tomcat.apache.org/presentations.html
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with
> Accenture policy.
> ______________________________________________________________________
________________
>
>
>
www.accenture.com
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZLZFGAAoJEBzwKT+lPKRYFlEQAMWx2/ngj4vEeoQfZU4rRFlH
1Mscn61MUFJdrVBFkVF+NR86m8clUt8Kw1MKZNGexMXcKjrIllqnVPJUQxjyvgai
bsDndUDGT/BrFtyLWg8B68mUok+X3dcv4NrhokRQ4phpKM4vADIl6bqi6Uxmp1sX
rRyjx0ZGnKTKEw2rJgAzp22OP7OURz5eyOayMNLBvCFcXBNLagC9uhuCuG39Hhjx
9FBjDZZDuFbLpWSH65pakWwU0vhcl2D45641n5dKwEyAsOPdrdJMBrjIE/ruj6/R
pkxgawkIHTIWBdq9DoJzTZjD4opnsowlYpLwE7SrTQ7zy8YJ+9Pr2YoKZhBWsh+g
Fd0F0FprIfWV7V7hQosY/q2yFgMBHBRlnLVO3n9ZdzWW0Wl8+YZNDI0svuEBzP6T
U6YgnaUtm35XroBUyaYCA5ucjMbiY4S8ow0O7+8fHPjYmA4LDlGz5QLZdhiIsvtk
ceoHWYy5hFlRyo2PXbmHSzkpOU6AJ7naGxesjKJL5XK+VN3Bh+JdUgi6NnQOgov3
984q7QAMB5ngdKwfW2/96pCLvSoMptSST653bGI8eDbt8byIivZEkXuRg1P3Pk/a
ygRahHV7GxLHIZczAOoNspZxXlaDOBrgpSUZ+Yo31byBS+e4l7MRjKIDGElS51GP
E6i6GV+37TsmOyY2aObW
=OejA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
Re: Security Headers Implementation in Tomcat 6.x version
Posted by Violeta Georgieva <vi...@apache.org>.
Hi,
2017-05-31 13:37 GMT+03:00 Shaik, Mohammad N. <
mohammad.n.shaik@accenture.com>:
>
> Hi Chris,
>
> Can I simply use the JAR files from Tomcat 7 that contains executable
code of filter classes (security headers), and put them into corresponding
location in Tomcat 6?
I would not recommend that. You might easily hit variety of class loading
problems.
Just grab the java files and compile them against Tomcat/lib.
Regards,
Violeta
>
> Regards,
> Mohammad
>
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: 30 May 2017 21:06
> To: users@tomcat.apache.org
> Subject: Re: Security Headers Implementation in Tomcat 6.x version
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Mohammad,
>
> On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> > Thanks for the valuable input, that helps!! We shall go with getting
> > the source package of Tomcat 7, put them in Tomcat 6 and use the
> > filters of Tomcat 7 in Tomcat 6.
> >
> > Can you please let me know from where I can get/download the source
> > package of Tomcat 7? Also can you please share the location of the
> > source package in Tomcat 6 so that we can replace it with the one from
> > Tomcat 7?
>
> The source download for Tomcat 7 is in the same place all the other
downloads are.
>
> You will not need the source for Tomcat 6, nor will you need to build the
complete source-to-binary for Tomcat 7. Just grab the source, take the
classes you need, and compile them against the servlet JAR you already have
for Tomcat 6. Feel free to re-name the packages if they are awkward for you
to compile/install and then just reference the new class names in your
application/server.
>
> Remember to watch for patches to those source files in Tomcat 7 in case
they include e.g. security updates -- you'll want to apply those same
updates to the code you have taken from Tomcat 7.
>
> A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is
backward-compatible with all spec-compliant applications, though it does
behave differently sometimes as the Servlet Experts Group has clarified
certain questions or added new capabilities (like annotation-processing). I
recommend a long period of testing with a new version of Tomcat, but I also
recommend that you begin that testing as soon as possible. Tomcat 6 will
probably receive *no further updates, security or otherwise*, even if a
vulnerability is foun d.
>
> - -chris
>
> > -----Original Message----- From: Christopher Schultz
> > [mailto:chris@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> > users@tomcat.apache.org Subject: Re: Security Headers Implementation
> > in Tomcat 6.x version
> >
> > Mohammad,
> >
> > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> >> Based on your inputs, we are thinking to put Apache httpd in front of
> >> Tomcat 6 server, since our header configuration is going to be
> >> static.
> >
> > This might not be a bad idea for a number of reasons, but it is by no
> > means required.
> >
> > You can download the Tomcat 7 source package and use the security
> > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
> > actually requires Tomcat 7 to run.
> >
> >> Can you please help us in identifying which version of Apache HTTP
> >> Server we can use for Tomcat 6 version? Also, it will be great if you
> >> can share some guidelines on how to implement Apache in front of
> >> Tomcat.
> > All supported versions of Apache web server work with app supported
> > versions of Tomcat (as well as Tomcat 6). You have several choices for
> > how to connect them together, but the most straightforward is to use
> > mod_proxy_http from httpd to Tomcat.
> > Tomcat behaves exactly as it did before and requires no additional
> > configuration unless you are moving TLS termination from Tomcat to
> > httpd. If that's the case, there are many guides on the web as well as
> > on Tomcat's Presentations Page[2] that document how to do that.
> >
> > Hope that helps, -chris
> >
> > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> > http://tomcat.apache.org/presentations.html
> >
> > ---------------------------------------------------------------------
> >
> >
> >
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you
> > have received it in error, please notify the sender immediately and
> > delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging (including
> > content), may be scanned by our systems for the purposes of
> > information security and assessment of internal compliance with
> > Accenture policy.
> > ______________________________________________________________________
> ________________
> >
> >
> >
> www.accenture.com
> >
> > ---------------------------------------------------------------------
> >
> >
> >
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJZLZFGAAoJEBzwKT+lPKRYFlEQAMWx2/ngj4vEeoQfZU4rRFlH
> 1Mscn61MUFJdrVBFkVF+NR86m8clUt8Kw1MKZNGexMXcKjrIllqnVPJUQxjyvgai
> bsDndUDGT/BrFtyLWg8B68mUok+X3dcv4NrhokRQ4phpKM4vADIl6bqi6Uxmp1sX
> rRyjx0ZGnKTKEw2rJgAzp22OP7OURz5eyOayMNLBvCFcXBNLagC9uhuCuG39Hhjx
> 9FBjDZZDuFbLpWSH65pakWwU0vhcl2D45641n5dKwEyAsOPdrdJMBrjIE/ruj6/R
> pkxgawkIHTIWBdq9DoJzTZjD4opnsowlYpLwE7SrTQ7zy8YJ+9Pr2YoKZhBWsh+g
> Fd0F0FprIfWV7V7hQosY/q2yFgMBHBRlnLVO3n9ZdzWW0Wl8+YZNDI0svuEBzP6T
> U6YgnaUtm35XroBUyaYCA5ucjMbiY4S8ow0O7+8fHPjYmA4LDlGz5QLZdhiIsvtk
> ceoHWYy5hFlRyo2PXbmHSzkpOU6AJ7naGxesjKJL5XK+VN3Bh+JdUgi6NnQOgov3
> 984q7QAMB5ngdKwfW2/96pCLvSoMptSST653bGI8eDbt8byIivZEkXuRg1P3Pk/a
> ygRahHV7GxLHIZczAOoNspZxXlaDOBrgpSUZ+Yo31byBS+e4l7MRjKIDGElS51GP
> E6i6GV+37TsmOyY2aObW
> =OejA
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise confidential information. If you have
received it in error, please notify the sender immediately and delete the
original. Any other use of the e-mail by you is prohibited. Where allowed
by local law, electronic communications with Accenture and its affiliates,
including e-mail and instant messaging (including content), may be scanned
by our systems for the purposes of information security and assessment of
internal compliance with Accenture policy.
>
______________________________________________________________________________________
>
> www.accenture.com
Re: [External] Re: Security Headers Implementation in Tomcat 6.x
version
Posted by Olaf Kock <to...@olafkock.de>.
Am 02.06.2017 um 07:43 schrieb Shaik, Mohammad N.:
> Hi Chris, > > My actual requirement was to implement 7 HTTP headers, out of which
4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers
(Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not
addressed in any of the filters available in Tomcat 7, 8 & 9 versions. >
> Is there any way that we implement these 3 headers in Tomcat?
Sure. Look at the implementation for the 4 headers you found. Add three
more, recompile. Alternatively, add another filter just for your 3 headers.
As you're creating a solution for you exclusively, you may even
completely hard code the values and conditions you need. There's no need
for configuration or making it "ready for prime time" as nobody else
will use this code under different circumstances.
Or write your own servlet filter for the webapps you deploy (no need to
go app-server side when the webapps do what's required themselves). In
those servlet filters, set those headers under conditions that you
determine yourself.
Or (again, sorry) utilize httpd's mod_headers.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x
version
Posted by "Shaik, Mohammad N." <mo...@accenture.com>.
Hi Chris,
My actual requirement was to implement 7 HTTP headers, out of which 4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers (Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not addressed in any of the filters available in Tomcat 7, 8 & 9 versions.
Is there any way that we implement these 3 headers in Tomcat?
Regards,
Mohammad
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 01 June 2017 19:59
To: users@tomcat.apache.org
Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mohammad,
On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote:
> What should be name of the new JAR file that I would create for the
> Filter classes?
It doesn't matter.
> There are multiple JAR files in lib folder. Does the name of these JAR
> files have any significance?
Not really.
> My understanding is that as long as you have your code (.class
> files) is present in any of the JAR files under "lib" folder, system
> would get it. You don’t need to have a specific-named JAR files having
> specific-named .class files. The .class files from all the jar files
> under lib folder is considered as one big collection, and based on the
> invoked classname its corresponding .class file gets executed from
> that big code. Multiple JAR files with different names is setup just
> for logical classification of classes. Please correct me if this is
> not right.
You are correct. There are problems if the same class exists in two separate JAR files, but that should not be a problem in the standard Tomcat installation, plus the JAR file that has a few (unique) classes from Tomcat 7 in there.
Remember: Upgrade ASAP.
- -chris
> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: 31 May 2017 23:52 To:
> users@tomcat.apache.org Subject: [External] Re: Security Headers
> Implementation in Tomcat 6.x version
>
> Mohammad,
>
> On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
>> Can I simply use the JAR files from Tomcat 7 that contains executable
>> code of filter classes (security headers), and put them into
>> corresponding location in Tomcat 6?
>
> Definitely don't do that. But you could probably grab the compiled
> .class files from Tomcat 7's binary distribution... just make sure you
> have all of them.
>
> So, basically, create a new JAR file that contains only those Filter
> classes (don't forget any inner classes that might be found in
> separate .class files).
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with
> Accenture policy.
> ______________________________________________________________________
________________
>
> www.accenture.com
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u
kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi
3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx
bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn
aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo
/28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou
gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET
0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y
qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE
/XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju
ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS
HGUlc2U0LgTmSYLe+vj6
=oY0c
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
Re: [External] Re: Security Headers Implementation in Tomcat 6.x
version
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mohammad,
On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote:
> What should be name of the new JAR file that I would create for
> the Filter classes?
It doesn't matter.
> There are multiple JAR files in lib folder. Does the name of these
> JAR files have any significance?
Not really.
> My understanding is that as long as you have your code (.class
> files) is present in any of the JAR files under "lib" folder,
> system would get it. You don’t need to have a specific-named JAR
> files having specific-named .class files. The .class files from all
> the jar files under lib folder is considered as one big collection,
> and based on the invoked classname its corresponding .class file
> gets executed from that big code. Multiple JAR files with different
> names is setup just for logical classification of classes. Please
> correct me if this is not right.
You are correct. There are problems if the same class exists in two
separate JAR files, but that should not be a problem in the standard
Tomcat installation, plus the JAR file that has a few (unique) classes
from Tomcat 7 in there.
Remember: Upgrade ASAP.
- -chris
> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: 31 May 2017 23:52 To:
> users@tomcat.apache.org Subject: [External] Re: Security Headers
> Implementation in Tomcat 6.x version
>
> Mohammad,
>
> On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
>> Can I simply use the JAR files from Tomcat 7 that contains
>> executable code of filter classes (security headers), and put
>> them into corresponding location in Tomcat 6?
>
> Definitely don't do that. But you could probably grab the compiled
> .class files from Tomcat 7's binary distribution... just make sure
> you have all of them.
>
> So, basically, create a new JAR file that contains only those
> Filter classes (don't forget any inner classes that might be found
> in separate .class files).
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If
> you have received it in error, please notify the sender immediately
> and delete the original. Any other use of the e-mail by you is
> prohibited. Where allowed by local law, electronic communications
> with Accenture and its affiliates, including e-mail and instant
> messaging (including content), may be scanned by our systems for
> the purposes of information security and assessment of internal
> compliance with Accenture policy.
> ______________________________________________________________________
________________
>
> www.accenture.com
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u
kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi
3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx
bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn
aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo
/28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou
gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET
0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y
qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE
/XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju
ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS
HGUlc2U0LgTmSYLe+vj6
=oY0c
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x
version
Posted by "Shaik, Mohammad N." <mo...@accenture.com>.
Hi Chris,
What should be name of the new JAR file that I would create for the Filter classes?
There are multiple JAR files in lib folder. Does the name of these JAR files have any significance?
My understanding is that as long as you have your code (.class files) is present in any of the JAR files under "lib" folder, system would get it. You don’t need to have a specific-named JAR files having specific-named .class files. The .class files from all the jar files under lib folder is considered as one big collection, and based on the invoked classname its corresponding .class file gets executed from that big code. Multiple JAR files with different names is setup just for logical classification of classes. Please correct me if this is not right.
- Mohammad
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 31 May 2017 23:52
To: users@tomcat.apache.org
Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mohammad,
On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
> Can I simply use the JAR files from Tomcat 7 that contains executable
> code of filter classes (security headers), and put them into
> corresponding location in Tomcat 6?
Definitely don't do that. But you could probably grab the compiled .class files from Tomcat 7's binary distribution... just make sure you have all of them.
So, basically, create a new JAR file that contains only those Filter classes (don't forget any inner classes that might be found in separate .class files).
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C
jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5
T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ
S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up
Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet
D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i
L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml
XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy
OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3
AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB
aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv
mD63/FtqNHglnYULpUTS
=jN8f
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
Re: Security Headers Implementation in Tomcat 6.x version
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mohammad,
On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
> Can I simply use the JAR files from Tomcat 7 that contains
> executable code of filter classes (security headers), and put them
> into corresponding location in Tomcat 6?
Definitely don't do that. But you could probably grab the compiled
.class files from Tomcat 7's binary distribution... just make sure you
have all of them.
So, basically, create a new JAR file that contains only those Filter
classes (don't forget any inner classes that might be found in
separate .class files).
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C
jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5
T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ
S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up
Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet
D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i
L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml
XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy
OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3
AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB
aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv
mD63/FtqNHglnYULpUTS
=jN8f
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Security Headers Implementation in Tomcat 6.x version
Posted by "Shaik, Mohammad N." <mo...@accenture.com>.
Hi Chris,
Can I simply use the JAR files from Tomcat 7 that contains executable code of filter classes (security headers), and put them into corresponding location in Tomcat 6?
Regards,
Mohammad
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 30 May 2017 21:06
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mohammad,
On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> Thanks for the valuable input, that helps!! We shall go with getting
> the source package of Tomcat 7, put them in Tomcat 6 and use the
> filters of Tomcat 7 in Tomcat 6.
>
> Can you please let me know from where I can get/download the source
> package of Tomcat 7? Also can you please share the location of the
> source package in Tomcat 6 so that we can replace it with the one from
> Tomcat 7?
The source download for Tomcat 7 is in the same place all the other downloads are.
You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server.
Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7.
A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d.
- -chris
> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> users@tomcat.apache.org Subject: Re: Security Headers Implementation
> in Tomcat 6.x version
>
> Mohammad,
>
> On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
>> Based on your inputs, we are thinking to put Apache httpd in front of
>> Tomcat 6 server, since our header configuration is going to be
>> static.
>
> This might not be a bad idea for a number of reasons, but it is by no
> means required.
>
> You can download the Tomcat 7 source package and use the security
> filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
> actually requires Tomcat 7 to run.
>
>> Can you please help us in identifying which version of Apache HTTP
>> Server we can use for Tomcat 6 version? Also, it will be great if you
>> can share some guidelines on how to implement Apache in front of
>> Tomcat.
> All supported versions of Apache web server work with app supported
> versions of Tomcat (as well as Tomcat 6). You have several choices for
> how to connect them together, but the most straightforward is to use
> mod_proxy_http from httpd to Tomcat.
> Tomcat behaves exactly as it did before and requires no additional
> configuration unless you are moving TLS termination from Tomcat to
> httpd. If that's the case, there are many guides on the web as well as
> on Tomcat's Presentations Page[2] that document how to do that.
>
> Hope that helps, -chris
>
> [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> http://tomcat.apache.org/presentations.html
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with
> Accenture policy.
> ______________________________________________________________________
________________
>
>
>
www.accenture.com
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZLZFGAAoJEBzwKT+lPKRYFlEQAMWx2/ngj4vEeoQfZU4rRFlH
1Mscn61MUFJdrVBFkVF+NR86m8clUt8Kw1MKZNGexMXcKjrIllqnVPJUQxjyvgai
bsDndUDGT/BrFtyLWg8B68mUok+X3dcv4NrhokRQ4phpKM4vADIl6bqi6Uxmp1sX
rRyjx0ZGnKTKEw2rJgAzp22OP7OURz5eyOayMNLBvCFcXBNLagC9uhuCuG39Hhjx
9FBjDZZDuFbLpWSH65pakWwU0vhcl2D45641n5dKwEyAsOPdrdJMBrjIE/ruj6/R
pkxgawkIHTIWBdq9DoJzTZjD4opnsowlYpLwE7SrTQ7zy8YJ+9Pr2YoKZhBWsh+g
Fd0F0FprIfWV7V7hQosY/q2yFgMBHBRlnLVO3n9ZdzWW0Wl8+YZNDI0svuEBzP6T
U6YgnaUtm35XroBUyaYCA5ucjMbiY4S8ow0O7+8fHPjYmA4LDlGz5QLZdhiIsvtk
ceoHWYy5hFlRyo2PXbmHSzkpOU6AJ7naGxesjKJL5XK+VN3Bh+JdUgi6NnQOgov3
984q7QAMB5ngdKwfW2/96pCLvSoMptSST653bGI8eDbt8byIivZEkXuRg1P3Pk/a
ygRahHV7GxLHIZczAOoNspZxXlaDOBrgpSUZ+Yo31byBS+e4l7MRjKIDGElS51GP
E6i6GV+37TsmOyY2aObW
=OejA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
Re: Security Headers Implementation in Tomcat 6.x version
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mohammad,
On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> Thanks for the valuable input, that helps!! We shall go with
> getting the source package of Tomcat 7, put them in Tomcat 6 and
> use the filters of Tomcat 7 in Tomcat 6.
>
> Can you please let me know from where I can get/download the
> source package of Tomcat 7? Also can you please share the location
> of the source package in Tomcat 6 so that we can replace it with
> the one from Tomcat 7?
The source download for Tomcat 7 is in the same place all the other
downloads are.
You will not need the source for Tomcat 6, nor will you need to build
the complete source-to-binary for Tomcat 7. Just grab the source, take
the classes you need, and compile them against the servlet JAR you
already have for Tomcat 6. Feel free to re-name the packages if they
are awkward for you to compile/install and then just reference the new
class names in your application/server.
Remember to watch for patches to those source files in Tomcat 7 in
case they include e.g. security updates -- you'll want to apply those
same updates to the code you have taken from Tomcat 7.
A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is
backward-compatible with all spec-compliant applications, though it
does behave differently sometimes as the Servlet Experts Group has
clarified certain questions or added new capabilities (like
annotation-processing). I recommend a long period of testing with a
new version of Tomcat, but I also recommend that you begin that
testing as soon as possible. Tomcat 6 will probably receive *no
further updates, security or otherwise*, even if a vulnerability is foun
d.
- -chris
> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> users@tomcat.apache.org Subject: Re: Security Headers
> Implementation in Tomcat 6.x version
>
> Mohammad,
>
> On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
>> Based on your inputs, we are thinking to put Apache httpd in
>> front of Tomcat 6 server, since our header configuration is going
>> to be static.
>
> This might not be a bad idea for a number of reasons, but it is by
> no means required.
>
> You can download the Tomcat 7 source package and use the security
> filters from Tomcat 7[1] in Tomcat 6: there is nothing in there
> that actually requires Tomcat 7 to run.
>
>> Can you please help us in identifying which version of Apache
>> HTTP Server we can use for Tomcat 6 version? Also, it will be
>> great if you can share some guidelines on how to implement Apache
>> in front of Tomcat.
> All supported versions of Apache web server work with app
> supported versions of Tomcat (as well as Tomcat 6). You have
> several choices for how to connect them together, but the most
> straightforward is to use mod_proxy_http from httpd to Tomcat.
> Tomcat behaves exactly as it did before and requires no additional
> configuration unless you are moving TLS termination from Tomcat to
> httpd. If that's the case, there are many guides on the web as well
> as on Tomcat's Presentations Page[2] that document how to do that.
>
> Hope that helps, -chris
>
> [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> http://tomcat.apache.org/presentations.html
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If
> you have received it in error, please notify the sender
> immediately and delete the original. Any other use of the e-mail by
> you is prohibited. Where allowed by local law, electronic
> communications with Accenture and its affiliates, including e-mail
> and instant messaging (including content), may be scanned by our
> systems for the purposes of information security and assessment of
> internal compliance with Accenture policy.
> ______________________________________________________________________
________________
>
>
>
www.accenture.com
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZLZFGAAoJEBzwKT+lPKRYFlEQAMWx2/ngj4vEeoQfZU4rRFlH
1Mscn61MUFJdrVBFkVF+NR86m8clUt8Kw1MKZNGexMXcKjrIllqnVPJUQxjyvgai
bsDndUDGT/BrFtyLWg8B68mUok+X3dcv4NrhokRQ4phpKM4vADIl6bqi6Uxmp1sX
rRyjx0ZGnKTKEw2rJgAzp22OP7OURz5eyOayMNLBvCFcXBNLagC9uhuCuG39Hhjx
9FBjDZZDuFbLpWSH65pakWwU0vhcl2D45641n5dKwEyAsOPdrdJMBrjIE/ruj6/R
pkxgawkIHTIWBdq9DoJzTZjD4opnsowlYpLwE7SrTQ7zy8YJ+9Pr2YoKZhBWsh+g
Fd0F0FprIfWV7V7hQosY/q2yFgMBHBRlnLVO3n9ZdzWW0Wl8+YZNDI0svuEBzP6T
U6YgnaUtm35XroBUyaYCA5ucjMbiY4S8ow0O7+8fHPjYmA4LDlGz5QLZdhiIsvtk
ceoHWYy5hFlRyo2PXbmHSzkpOU6AJ7naGxesjKJL5XK+VN3Bh+JdUgi6NnQOgov3
984q7QAMB5ngdKwfW2/96pCLvSoMptSST653bGI8eDbt8byIivZEkXuRg1P3Pk/a
ygRahHV7GxLHIZczAOoNspZxXlaDOBrgpSUZ+Yo31byBS+e4l7MRjKIDGElS51GP
E6i6GV+37TsmOyY2aObW
=OejA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Security Headers Implementation in Tomcat 6.x version
Posted by "Shaik, Mohammad N." <mo...@accenture.com>.
Hello Chris,
Thanks for the valuable input, that helps!! We shall go with getting the source package of Tomcat 7, put them in Tomcat 6 and use the filters of Tomcat 7 in Tomcat 6.
Can you please let me know from where I can get/download the source package of Tomcat 7? Also can you please share the location of the source package in Tomcat 6 so that we can replace it with the one from Tomcat 7?
Regards,
Mohammad
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 29 May 2017 20:57
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mohammad,
On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> Based on your inputs, we are thinking to put Apache httpd in front of
> Tomcat 6 server, since our header configuration is going to be static.
This might not be a bad idea for a number of reasons, but it is by no means required.
You can download the Tomcat 7 source package and use the security filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that actually requires Tomcat 7 to run.
> Can you please help us in identifying which version of Apache HTTP
> Server we can use for Tomcat 6 version? Also, it will be great if you
> can share some guidelines on how to implement Apache in front of
> Tomcat.
All supported versions of Apache web server work with app supported versions of Tomcat (as well as Tomcat 6). You have several choices for how to connect them together, but the most straightforward is to use mod_proxy_http from httpd to Tomcat. Tomcat behaves exactly as it did before and requires no additional configuration unless you are moving TLS termination from Tomcat to httpd. If that's the case, there are many guides on the web as well as on Tomcat's Presentations Page[2] that document how to do that.
Hope that helps,
- -chris
[1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
[2] http://tomcat.apache.org/presentations.html
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZLD3hAAoJEBzwKT+lPKRYPh0P/RiGWVDs8c/PsFdC8VmU8fBB
V+EqkBd3SMeMK9l/2NtHW+MK/5BkkB5/2ebZiivCBYVTkUi4jaqnBvy981EJFcFb
vxovSsFhkhAPnr2DtZcg98wkTJ5dwT7ze50Cx/VBeXVlZD8n/nh+Msv5a1Fab0qI
dTzTGUwAguFwVZHkZX16LefqHvbvC6R5lJDCkqdtWx51KbDB4fY2TdVhzGK1vCEk
Vgrg4uEhjrkS/d6YgU4VWY8gHF2202DbmGPyZjIlh8l3R9bFWUE5NEg0AokOAAxR
AySanDW0J1QNKjm11KQuwynDVTqLGu9u9JBxKYsqsZsjjzSIpHFzVislI/lIbKBi
RKb1m+Hsfm0LkmDX+9N47EKXG5B6HOenUjWnjy2BCBnkINPXSbGOPXrG4028hSmo
NlPWGZTFSJnlcE4mLTxHZBQjPwgg2pmn/Ck4LsP9PFJITC3/2jtCpnwCv29pcxx8
ILG8On65M9uA2AdnhGucNvSpV5nsfPujhBQtB44A9Xd9V3ssdqn+hSgorZ4aMY7U
XPGyiUV985D+9XKkaHY0gBWjLdEBRZisWV1k66QjAWXC3ekdxGQzyV47RehwRueQ
6Zcc5MuH1F/3okJpXlxSwnpwfLyfZZPjZrhVoyKMxAWj2ozkIqPcfcSw8cYxN5hr
Fx+sOmqCwHww762nVlnZ
=03C1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security Headers Implementation in Tomcat 6.x version
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mohammad,
On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> Based on your inputs, we are thinking to put Apache httpd in front
> of Tomcat 6 server, since our header configuration is going to be
> static.
This might not be a bad idea for a number of reasons, but it is by no
means required.
You can download the Tomcat 7 source package and use the security
filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
actually requires Tomcat 7 to run.
> Can you please help us in identifying which version of Apache HTTP
> Server we can use for Tomcat 6 version? Also, it will be great if
> you can share some guidelines on how to implement Apache in front
> of Tomcat.
All supported versions of Apache web server work with app supported
versions of Tomcat (as well as Tomcat 6). You have several choices for
how to connect them together, but the most straightforward is to use
mod_proxy_http from httpd to Tomcat. Tomcat behaves exactly as it did
before and requires no additional configuration unless you are moving
TLS termination from Tomcat to httpd. If that's the case, there are
many guides on the web as well as on Tomcat's Presentations Page[2]
that document how to do that.
Hope that helps,
- -chris
[1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
[2] http://tomcat.apache.org/presentations.html
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZLD3hAAoJEBzwKT+lPKRYPh0P/RiGWVDs8c/PsFdC8VmU8fBB
V+EqkBd3SMeMK9l/2NtHW+MK/5BkkB5/2ebZiivCBYVTkUi4jaqnBvy981EJFcFb
vxovSsFhkhAPnr2DtZcg98wkTJ5dwT7ze50Cx/VBeXVlZD8n/nh+Msv5a1Fab0qI
dTzTGUwAguFwVZHkZX16LefqHvbvC6R5lJDCkqdtWx51KbDB4fY2TdVhzGK1vCEk
Vgrg4uEhjrkS/d6YgU4VWY8gHF2202DbmGPyZjIlh8l3R9bFWUE5NEg0AokOAAxR
AySanDW0J1QNKjm11KQuwynDVTqLGu9u9JBxKYsqsZsjjzSIpHFzVislI/lIbKBi
RKb1m+Hsfm0LkmDX+9N47EKXG5B6HOenUjWnjy2BCBnkINPXSbGOPXrG4028hSmo
NlPWGZTFSJnlcE4mLTxHZBQjPwgg2pmn/Ck4LsP9PFJITC3/2jtCpnwCv29pcxx8
ILG8On65M9uA2AdnhGucNvSpV5nsfPujhBQtB44A9Xd9V3ssdqn+hSgorZ4aMY7U
XPGyiUV985D+9XKkaHY0gBWjLdEBRZisWV1k66QjAWXC3ekdxGQzyV47RehwRueQ
6Zcc5MuH1F/3okJpXlxSwnpwfLyfZZPjZrhVoyKMxAWj2ozkIqPcfcSw8cYxN5hr
Fx+sOmqCwHww762nVlnZ
=03C1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
Posted by km...@gmail.com.
Ghgfhch
Dygugjfbjg
Envoyé de mon smartphone BlackBerry 10.
Message d'origine
De: Christopher Schultz
Envoyé: jeudi 8 juin 2017 18:43
À: users@tomcat.apache.org
Répondre à: Tomcat Users List
Objet: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Shaik,
On 6/8/17 1:18 AM, Shaik, Mohammad N. wrote:
> Hi Olaf & Chris,
>
> By placing HTTPD 2.x server in front of Tomcat 6, is it possible to
> hide Tomcat 6 from external world? I just don’t want people to find
> out that I am using Tomcat 6, instead I want them to know that I am
> using httpd 2.x server. Is this possible?
>
> I just need Apache HTTPD server to take care of headers and let
> Tomcat do rest of the stuff (which it is already doing in my case).
> Do I still need to configure anything other than headers in my
> case?
Not really. If you configure httpd -> Tomcat, then you can
firewall-out everyone from your Tomcat server except the server
running httpd.
By default, httpd will return its own "Server" header so you don't
even need to try to mask Tomcat's existence that way.
- -chris
> -----Original Message----- From: Olaf Kock
> [mailto:tomcat@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat
> Users List <us...@tomcat.apache.org> Subject: [External] Re:
> Security Headers Implementation in Tomcat 6.x version
>
> Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:
>> Hello Olaf,
>>
>> Thanks for your response!
>>
>> Based on your inputs, we are thinking to put Apache httpd in
>> front of Tomcat 6 server, since our header configuration is going
>> to be static.
>>
>> Can you please help us in identifying which version of Apache
>> HTTP Server we can use for Tomcat 6 version? Also, it will be
>> great if you can share some guidelines on how to implement Apache
>> in front of Tomcat.
>
> For completeness sake I'd like to answer a few of these questions,
> rather briefly. It seems that you're deep into implementing
> Christopher's solution of compiling the newer filters for Tomcat
> 6.
>
> Every current Apache httpd is fine, no version restriction.
> Especially: Choose one that will get updates for quite a while, not
> like the outdated Tomcat version you're running. Read on mod_proxy,
> mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on
> the connection between Apache and tomcat. Once you've set this up,
> setting the headers is a matter of adding the "Header" directive to
> httpd's configuration. I understand though, that setting up the
> connection can be some task if you've never done that. Especially
> if you're using https, and also refer to it in your webapp's code
> (e.g. to validate client certs) - but as you give no clue you're
> doing that, I'm assuming you don't and the setup would be easy.
>
> Anyway, feel free to utilize the newer code - I just wanted this
> information to be in this thread as well. However, once you're done
> with it: Utilize even more newer code and prepare to migrate away
> from your discontinued tomcat version.
>
> Olaf
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If
> you have received it in error, please notify the sender immediately
> and delete the original. Any other use of the e-mail by you is
> prohibited. Where allowed by local law, electronic communications
> with Accenture and its affiliates, including e-mail and instant
> messaging (including content), may be scanned by our systems for
> the purposes of information security and assessment of internal
> compliance with Accenture policy.
> ______________________________________________________________________
________________
>
> www.accenture.com
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZOZqoAAoJEBzwKT+lPKRYVBAP/RotI8+S6dbEVYxNNJtwIoLT
LzoBCrxF/VWva8CUqGNrWJNdjy4IUuwiB00zGYZpyXmvIVAjG8H+fq+pocYVTSLz
1q6ZiqLuw3yj2xottS2fBY3lQC3hQawGjP9IX+Y3/qq9lgGNificZ7ok2iBBhlrZ
CiwiQSVuvpboawxYKl62kXB6c2pprzGqRZ1l6I+pcir/mMHJ6W0fYXrdxgEk8M9d
aY7W0YRugVsCbuAHqpQ+1Jr2jv3+Wme1LknTV9+ixmbHnu0UecoIhseWywDanrQD
1if8Rh/TtuT31wWKu7nn48llofjzmWwNRVjaFeNY9u/zjMkimcQ2B+shSuq81M5H
BxcvutplbYhGWED2AS/G/OviNbC+JJiaDXgE+mrH31kNfH9WXS5DH+RZO0q1kxmy
gXrBQ4M+XoZgloQQ4Y9kSRfEBeEccr3axtdo7FwpqJjCesLFSfCkUZgGHhOFuGAx
JGG4zIu2JLAsNVXu76KSX7JNPvnWoqrYzmrV5uweDU3xf3Mls2A2LuxEOTe5ANOg
jDVH6K6UbkplWHvAWKDIUcKyTPKKbk7M5M3zikwdpC+YD7g8oxZHD0kZKtej0y7F
dbV4MXJS0M4x/dLvDKX3B1llHTmyHHJ7li02YO/3/tslMJiqZ2xsmSOzxJTxsG5j
ZFaXCW7JdKIBmiFR397r
=UPn3
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [External] Re: Security Headers Implementation in Tomcat 6.x
version
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Shaik,
On 6/8/17 1:18 AM, Shaik, Mohammad N. wrote:
> Hi Olaf & Chris,
>
> By placing HTTPD 2.x server in front of Tomcat 6, is it possible to
> hide Tomcat 6 from external world? I just don’t want people to find
> out that I am using Tomcat 6, instead I want them to know that I am
> using httpd 2.x server. Is this possible?
>
> I just need Apache HTTPD server to take care of headers and let
> Tomcat do rest of the stuff (which it is already doing in my case).
> Do I still need to configure anything other than headers in my
> case?
Not really. If you configure httpd -> Tomcat, then you can
firewall-out everyone from your Tomcat server except the server
running httpd.
By default, httpd will return its own "Server" header so you don't
even need to try to mask Tomcat's existence that way.
- -chris
> -----Original Message----- From: Olaf Kock
> [mailto:tomcat@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat
> Users List <us...@tomcat.apache.org> Subject: [External] Re:
> Security Headers Implementation in Tomcat 6.x version
>
> Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:
>> Hello Olaf,
>>
>> Thanks for your response!
>>
>> Based on your inputs, we are thinking to put Apache httpd in
>> front of Tomcat 6 server, since our header configuration is going
>> to be static.
>>
>> Can you please help us in identifying which version of Apache
>> HTTP Server we can use for Tomcat 6 version? Also, it will be
>> great if you can share some guidelines on how to implement Apache
>> in front of Tomcat.
>
> For completeness sake I'd like to answer a few of these questions,
> rather briefly. It seems that you're deep into implementing
> Christopher's solution of compiling the newer filters for Tomcat
> 6.
>
> Every current Apache httpd is fine, no version restriction.
> Especially: Choose one that will get updates for quite a while, not
> like the outdated Tomcat version you're running. Read on mod_proxy,
> mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on
> the connection between Apache and tomcat. Once you've set this up,
> setting the headers is a matter of adding the "Header" directive to
> httpd's configuration. I understand though, that setting up the
> connection can be some task if you've never done that. Especially
> if you're using https, and also refer to it in your webapp's code
> (e.g. to validate client certs) - but as you give no clue you're
> doing that, I'm assuming you don't and the setup would be easy.
>
> Anyway, feel free to utilize the newer code - I just wanted this
> information to be in this thread as well. However, once you're done
> with it: Utilize even more newer code and prepare to migrate away
> from your discontinued tomcat version.
>
> Olaf
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If
> you have received it in error, please notify the sender immediately
> and delete the original. Any other use of the e-mail by you is
> prohibited. Where allowed by local law, electronic communications
> with Accenture and its affiliates, including e-mail and instant
> messaging (including content), may be scanned by our systems for
> the purposes of information security and assessment of internal
> compliance with Accenture policy.
> ______________________________________________________________________
________________
>
> www.accenture.com
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZOZqoAAoJEBzwKT+lPKRYVBAP/RotI8+S6dbEVYxNNJtwIoLT
LzoBCrxF/VWva8CUqGNrWJNdjy4IUuwiB00zGYZpyXmvIVAjG8H+fq+pocYVTSLz
1q6ZiqLuw3yj2xottS2fBY3lQC3hQawGjP9IX+Y3/qq9lgGNificZ7ok2iBBhlrZ
CiwiQSVuvpboawxYKl62kXB6c2pprzGqRZ1l6I+pcir/mMHJ6W0fYXrdxgEk8M9d
aY7W0YRugVsCbuAHqpQ+1Jr2jv3+Wme1LknTV9+ixmbHnu0UecoIhseWywDanrQD
1if8Rh/TtuT31wWKu7nn48llofjzmWwNRVjaFeNY9u/zjMkimcQ2B+shSuq81M5H
BxcvutplbYhGWED2AS/G/OviNbC+JJiaDXgE+mrH31kNfH9WXS5DH+RZO0q1kxmy
gXrBQ4M+XoZgloQQ4Y9kSRfEBeEccr3axtdo7FwpqJjCesLFSfCkUZgGHhOFuGAx
JGG4zIu2JLAsNVXu76KSX7JNPvnWoqrYzmrV5uweDU3xf3Mls2A2LuxEOTe5ANOg
jDVH6K6UbkplWHvAWKDIUcKyTPKKbk7M5M3zikwdpC+YD7g8oxZHD0kZKtej0y7F
dbV4MXJS0M4x/dLvDKX3B1llHTmyHHJ7li02YO/3/tslMJiqZ2xsmSOzxJTxsG5j
ZFaXCW7JdKIBmiFR397r
=UPn3
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [External] Re: Security Headers Implementation in Tomcat 6.x
version
Posted by "Shaik, Mohammad N." <mo...@accenture.com>.
Hi Olaf & Chris,
By placing HTTPD 2.x server in front of Tomcat 6, is it possible to hide Tomcat 6 from external world? I just don’t want people to find out that I am using Tomcat 6, instead I want them to know that I am using httpd 2.x server. Is this possible?
I just need Apache HTTPD server to take care of headers and let Tomcat do rest of the stuff (which it is already doing in my case). Do I still need to configure anything other than headers in my case?
Regards,
Mohammad
-----Original Message-----
From: Olaf Kock [mailto:tomcat@olafkock.de]
Sent: 31 May 2017 16:38
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version
Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:
> Hello Olaf,
>
> Thanks for your response!
>
> Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 server, since our header configuration is going to be static.
>
> Can you please help us in identifying which version of Apache HTTP Server we can use for Tomcat 6 version? Also, it will be great if you can share some guidelines on how to implement Apache in front of Tomcat.
For completeness sake I'd like to answer a few of these questions, rather briefly. It seems that you're deep into implementing Christopher's solution of compiling the newer filters for Tomcat 6.
Every current Apache httpd is fine, no version restriction. Especially:
Choose one that will get updates for quite a while, not like the outdated Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the connection between Apache and tomcat. Once you've set this up, setting the headers is a matter of adding the "Header" directive to httpd's configuration. I understand though, that setting up the connection can be some task if you've never done that. Especially if you're using https, and also refer to it in your webapp's code (e.g. to validate client certs) - but as you give no clue you're doing that, I'm assuming you don't and the setup would be easy.
Anyway, feel free to utilize the newer code - I just wanted this information to be in this thread as well. However, once you're done with
it: Utilize even more newer code and prepare to migrate away from your discontinued tomcat version.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security Headers Implementation in Tomcat 6.x version
Posted by Olaf Kock <to...@olafkock.de>.
Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:
> Hello Olaf,
>
> Thanks for your response!
>
> Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 server, since our header configuration is going to be static.
>
> Can you please help us in identifying which version of Apache HTTP Server we can use for Tomcat 6 version? Also, it will be great if you can share some guidelines on how to implement Apache in front of Tomcat.
For completeness sake I'd like to answer a few of these questions,
rather briefly. It seems that you're deep into implementing
Christopher's solution of compiling the newer filters for Tomcat 6.
Every current Apache httpd is fine, no version restriction. Especially:
Choose one that will get updates for quite a while, not like the
outdated Tomcat version you're running. Read on mod_proxy,
mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the
connection between Apache and tomcat. Once you've set this up, setting
the headers is a matter of adding the "Header" directive to httpd's
configuration. I understand though, that setting up the connection can
be some task if you've never done that. Especially if you're using
https, and also refer to it in your webapp's code (e.g. to validate
client certs) - but as you give no clue you're doing that, I'm assuming
you don't and the setup would be easy.
Anyway, feel free to utilize the newer code - I just wanted this
information to be in this thread as well. However, once you're done with
it: Utilize even more newer code and prepare to migrate away from your
discontinued tomcat version.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Security Headers Implementation in Tomcat 6.x version
Posted by "Shaik, Mohammad N." <mo...@accenture.com>.
Hello Olaf,
Thanks for your response!
Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 server, since our header configuration is going to be static.
Can you please help us in identifying which version of Apache HTTP Server we can use for Tomcat 6 version? Also, it will be great if you can share some guidelines on how to implement Apache in front of Tomcat.
Regards,
Mohammad Nayeem
-----Original Message-----
From: Olaf Kock [mailto:tomcat@olafkock.de]
Sent: 29 May 2017 13:53
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version
Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.:
> We are using Tomcat 6.x version and we need to implement the following headers in our environment.
>
> Headers:
> 1) Strict-Transport-Security
> 2) Content-Security-Policy
> ....
> 7) X-Robots-Tag
>
> When I checked the Tomcat 6 version webpage (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D6.0-2Ddoc_config_filter.html&d=DwIC-g&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU&m=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU&s=MmEr4IILdgkhxtcFHmAb7ZO1pGl9B2Gek5dFuSCIBKw&e= ), I don't see any filters that implement any these headers. Some of them are available in Tomcat 7 version webpage (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D7.0-2Ddoc_config_filter.html&d=DwIC-g&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU&m=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU&s=aSZ5lgpIY-aPi2TSYp6DDNykQA9QFD8ImYaIKp70gUA&e= ), but we cannot upgrade to Tomcat 7.x version due to some constraints.
>
> Can you kindly guide me how to implement these headers in Tomcat 6.x version. All your comments on this topic are welcome.
As tomcat 6 is solid out of service for almost half a year already (see https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_tomcat-2D60-2Deol.html&d=DwIC-g&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU&m=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU&s=4Z8PWPmO-QMztdwYP9hAotZazIQFlsSUO5SfDxrVjG4&e= ), you're between a rock and a hard place: Invest in a platform that's a potential security threat (it won't get any more updates) or invest in an upgrade.
That out of the way, for most cases, just have an Apache httpd in front of tomcat and use its magic to tag most of your headers. For many it will be static configuration. If there's anything dynamic that you need, implement a servlet filter that just does the job. Hardcode it - you don't need a lot of configuration if you come up with a solution that's just used within your premises.
If you have multiple web applications that all need the same filter, deploy the filter on all of them.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security Headers Implementation in Tomcat 6.x version
Posted by Olaf Kock <to...@olafkock.de>.
Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.:
> We are using Tomcat 6.x version and we need to implement the following headers in our environment.
>
> Headers:
> 1) Strict-Transport-Security
> 2) Content-Security-Policy
> ....
> 7) X-Robots-Tag
>
> When I checked the Tomcat 6 version webpage (https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html), I don't see any filters that implement any these headers. Some of them are available in Tomcat 7 version webpage (https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html), but we cannot upgrade to Tomcat 7.x version due to some constraints.
>
> Can you kindly guide me how to implement these headers in Tomcat 6.x version. All your comments on this topic are welcome.
As tomcat 6 is solid out of service for almost half a year already (see
http://tomcat.apache.org/tomcat-60-eol.html), you're between a rock and
a hard place: Invest in a platform that's a potential security threat
(it won't get any more updates) or invest in an upgrade.
That out of the way, for most cases, just have an Apache httpd in front
of tomcat and use its magic to tag most of your headers. For many it
will be static configuration. If there's anything dynamic that you need,
implement a servlet filter that just does the job. Hardcode it - you
don't need a lot of configuration if you come up with a solution that's
just used within your premises.
If you have multiple web applications that all need the same filter,
deploy the filter on all of them.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org