You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/11/10 10:23:55 UTC

[tomcat] branch 7.0.x updated: Add HTTP header security filter to manager, host manager and examples

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/7.0.x by this push:
     new 7bbd7bc  Add HTTP header security filter to manager, host manager and examples
7bbd7bc is described below

commit 7bbd7bccae16be994ce3fcc5a6e57edb129ea7df
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Nov 10 10:21:04 2020 +0000

    Add HTTP header security filter to manager, host manager and examples
---
 webapps/docs/changelog.xml           |  4 ++++
 webapps/examples/WEB-INF/web.xml     | 18 ++++++++++++++++++
 webapps/host-manager/WEB-INF/web.xml | 17 +++++++++++++++++
 webapps/manager/WEB-INF/web.xml      | 17 +++++++++++++++++
 4 files changed, 56 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 035f086..72da323 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -122,6 +122,10 @@
         <bug>64797</bug>: Align manager.xml template file in Host-Manager with
         context.xml of real Manager web application. (isapir)
       </fix>
+      <add>
+        Configure the examples, Manager and Host Manager to use the HTTP header
+        security filter with default settings apart from no HSTS header. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Other">
diff --git a/webapps/examples/WEB-INF/web.xml b/webapps/examples/WEB-INF/web.xml
index 65a34de..07f7590 100644
--- a/webapps/examples/WEB-INF/web.xml
+++ b/webapps/examples/WEB-INF/web.xml
@@ -77,6 +77,18 @@
         </init-param>
     </filter>
 
+    <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it          -->
+    <!-- interferes with an existing setting. Keep X-Content-Type-Options    -->
+    <!-- and X-XSS-Protection as they are page specific.                     -->
+    <filter>
+        <filter-name>HTTP header security filter</filter-name>
+        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+    </filter>
+
     <!-- Define filter mappings for the timing filters -->
     <!--
     <filter-mapping>
@@ -108,6 +120,12 @@
     </filter-mapping>
 -->
 
+    <!-- Enable header security filter for all requests -->
+    <filter-mapping>
+        <filter-name>HTTP header security filter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
     <!-- Define example application events listeners -->
     <listener>
         <listener-class>listeners.ContextListener</listener-class>
diff --git a/webapps/host-manager/WEB-INF/web.xml b/webapps/host-manager/WEB-INF/web.xml
index 30f319b..30107ae 100644
--- a/webapps/host-manager/WEB-INF/web.xml
+++ b/webapps/host-manager/WEB-INF/web.xml
@@ -69,11 +69,28 @@
     </init-param>
   </filter>
 
+  <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it interferes -->
+  <!-- with an existing setting. Keep X-Content-Type-Options and             -->
+  <!-- X-XSS-Protection as they are page specific.                           -->
+  <filter>
+    <filter-name>HTTP header security filter</filter-name>
+    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+    <init-param>
+      <param-name>hstsEnabled</param-name>
+      <param-value>false</param-value>
+    </init-param>
+  </filter>
+
   <filter-mapping>
     <filter-name>CSRF</filter-name>
     <servlet-name>HTMLHostManager</servlet-name>
   </filter-mapping>
 
+  <filter-mapping>
+    <filter-name>HTTP header security filter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
   <!-- Define the Manager Servlet Mapping -->
   <servlet-mapping>
     <servlet-name>HostManager</servlet-name>
diff --git a/webapps/manager/WEB-INF/web.xml b/webapps/manager/WEB-INF/web.xml
index a47162e..f500899 100644
--- a/webapps/manager/WEB-INF/web.xml
+++ b/webapps/manager/WEB-INF/web.xml
@@ -113,11 +113,28 @@
     </init-param>
   </filter>
 
+  <!-- Configured to set X-FRAME-OPTIONS. Disable HSTS in case it interferes -->
+  <!-- with an existing setting. Keep X-Content-Type-Options and             -->
+  <!-- X-XSS-Protection as they are page specific.                           -->
+  <filter>
+    <filter-name>HTTP header security filter</filter-name>
+    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+    <init-param>
+      <param-name>hstsEnabled</param-name>
+      <param-value>false</param-value>
+    </init-param>
+  </filter>
+
   <filter-mapping>
     <filter-name>CSRF</filter-name>
     <servlet-name>HTMLManager</servlet-name>
   </filter-mapping>
 
+  <filter-mapping>
+    <filter-name>HTTP header security filter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
   <!-- Define a Security Constraint on this Application -->
   <!-- NOTE:  None of these roles are present in the default users file -->
   <security-constraint>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org