-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mohammad,
On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > Thanks for the valuable input, that helps!! We shall go with > getting the source package of Tomcat 7, put them in Tomcat 6 and > use the filters of Tomcat 7 in Tomcat 6. > > Can you please let me know from where I can get/download the > source package of Tomcat 7? Also can you please share the location > of the source package in Tomcat 6 so that we can replace it with > the one from Tomcat 7? The source download for Tomcat 7 is in the same place all the other downloads are. You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. - -chris > -----Original Message----- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > users@tomcat.apache.org Subject: Re: Security Headers > Implementation in Tomcat 6.x version > > Mohammad, > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: >> Based on your inputs, we are thinking to put Apache httpd in >> front of Tomcat 6 server, since our header configuration is going >> to be static. > > This might not be a bad idea for a number of reasons, but it is by > no means required. > > You can download the Tomcat 7 source package and use the security > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there > that actually requires Tomcat 7 to run. > >> Can you please help us in identifying which version of Apache >> HTTP Server we can use for Tomcat 6 version? Also, it will be >> great if you can share some guidelines on how to implement Apache >> in front of Tomcat. > All supported versions of Apache web server work with app > supported versions of Tomcat (as well as Tomcat 6). You have > several choices for how to connect them together, but the most > straightforward is to use mod_proxy_http from httpd to Tomcat. > Tomcat behaves exactly as it did before and requires no additional > configuration unless you are moving TLS termination from Tomcat to > httpd. If that's the case, there are many guides on the web as well > as on Tomcat's Presentations Page[2] that document how to do that. > > Hope that helps, -chris > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > http://tomcat.apache.org/presentations.html > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > ________________________________ > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If > you have received it in error, please notify the sender > immediately and delete the original. Any other use of the e-mail by > you is prohibited. Where allowed by local law, electronic > communications with Accenture and its affiliates, including e-mail > and instant messaging (including content), may be scanned by our > systems for the purposes of information security and assessment of > internal compliance with Accenture policy. > ______________________________________________________________________ ________________ > > > www.accenture.com > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLZFGAAoJEBzwKT+lPKRYFlEQAMWx2/ngj4vEeoQfZU4rRFlH 1Mscn61MUFJdrVBFkVF+NR86m8clUt8Kw1MKZNGexMXcKjrIllqnVPJUQxjyvgai bsDndUDGT/BrFtyLWg8B68mUok+X3dcv4NrhokRQ4phpKM4vADIl6bqi6Uxmp1sX rRyjx0ZGnKTKEw2rJgAzp22OP7OURz5eyOayMNLBvCFcXBNLagC9uhuCuG39Hhjx 9FBjDZZDuFbLpWSH65pakWwU0vhcl2D45641n5dKwEyAsOPdrdJMBrjIE/ruj6/R pkxgawkIHTIWBdq9DoJzTZjD4opnsowlYpLwE7SrTQ7zy8YJ+9Pr2YoKZhBWsh+g Fd0F0FprIfWV7V7hQosY/q2yFgMBHBRlnLVO3n9ZdzWW0Wl8+YZNDI0svuEBzP6T U6YgnaUtm35XroBUyaYCA5ucjMbiY4S8ow0O7+8fHPjYmA4LDlGz5QLZdhiIsvtk ceoHWYy5hFlRyo2PXbmHSzkpOU6AJ7naGxesjKJL5XK+VN3Bh+JdUgi6NnQOgov3 984q7QAMB5ngdKwfW2/96pCLvSoMptSST653bGI8eDbt8byIivZEkXuRg1P3Pk/a ygRahHV7GxLHIZczAOoNspZxXlaDOBrgpSUZ+Yo31byBS+e4l7MRjKIDGElS51GP E6i6GV+37TsmOyY2aObW =OejA -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org