Dear Harrie,
We have already implemented the said configuration of filter.
Still we are unable to implement HSTS.
This configuration works absolutely fine on tomcat running running on
windows, but in the case of unix we aren't able to achieve HSTS.
Below are the steps followed by us:
We have downloaded latest tomcat tar.gz from tomcat website,
Deployed our application on it,
Made above changes in conf\web.xml and then started tomcat. no error till
this point.
When i started VA testing on the server i get below error :
Note: further occurrences of HTTP header parsing errors will be logged at
DEBUG level.
java.lang.IllegalArgumentException: Invalid character (CR or LF) found in
method name
at
org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(AbstractNioInputBuffer.java:228)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1010)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
and then VA test results show that HSTS is not configured.
Please note that we followed the above steps for tomcat on windows and
every thing is absolutely fine and even results of VA test don't contain
HSTS information.
Any help is greatly appreciated.
From: "Harrie Robins" <[email protected]>
To: "'Tomcat Users List'" <[email protected]>
Date: 08-02-2016 20:51
Subject: RE: HSTS missing from HTTPS server on tomcat 8.0.27
Hello!
Missing HSTS is not a vulnerability, as Mark pointed out, it is a feature.
In your web.xml
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-c
lass>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
This will NOT activate HSTS for your application, you will need to add
this
mapping as well (edit to needs and add to application):
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Regards,
Harrie
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: maandag 8 februari 2016 15:50
To: 'Tomcat Users List' <[email protected]>
Subject: HSTS missing from HTTPS server on tomcat 8.0.27
Hi,
We are unable to fix the vulnerability of "HSTS missing from HTTPS server"
on apache tomcat 8.0.27 while running on unix operating system. Below is
the system configuration:
OS Name: HP-UX
OS Version: B.11.31
Architecture: IA64N
Java Home: /opt/java8/jre
JVM Version: 1.8.0.04-hp-ux-b2
JVM Vendor: Hewlett-Packard Company
We have uncommented the httpHeaderSecurity in the filter tag of
conf/web.xml
file, but still the vulnerability exists. We have also tried with apache
tomcat 8.0.30, but in vain.
Any help to fix this vulnerability is appreciated.
Thanks & Regards
Deepak Kumar
"Disclaimer and confidentiality clause - This message and any attachments
relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is
proprietary to CCIL and intended for the original addressee only.
The message may contain information that is confidential and subject to
legal privilege.
Any views expressed in this message are those of the individual sender.
If you have received this message in error, please notify the original
sender immediately and destroy the message and copies thereof and any
attachments contained in it .
If you are not the intended recipient of this message, you are hereby
notified that you must not disseminate, copy, use, distribute, or take any
action in connection therewith.
CCIL cannot ensure that the integrity of this communication has been
maintained nor that it is free of errors, viruses, interception and/or
interference.
CCIL is not liable whatsoever for loss or damage resulting from the
opening
of this message and/or attachments and/or the use of the information
contained in this message and/or attachments."
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
"Disclaimer and confidentiality clause -
This message and any attachments relating to official business of CCIL OR ANY
OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original
addressee only.
The message may contain information that is confidential and subject to legal
privilege.
Any views expressed in this message are those of the individual sender.
If you have received this message in error, please notify the original sender
immediately and destroy the message and copies thereof and any attachments
contained in it .
If you are not the intended recipient of this message, you are hereby notified
that you must not disseminate, copy, use, distribute, or take any action in
connection therewith.
CCIL cannot ensure that the integrity of this communication has been
maintained nor that it is free of errors, viruses, interception and/or
interference.
CCIL is not liable whatsoever for loss or damage resulting from the opening of
this message and/or attachments and/or the use of the information contained in
this message and/or attachments."
