Hi Chris, I got the source files (.java) of the filter classes that I was looking for.
Should we compile the source file against the servlet jar file(s) present in "[Tomcat]\lib\" or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there are multiple JAR files in both these locations. How to locate the exact JAR file which should be used to compile source files? My understanding is that as long as you have your code (.class files) in any of the JAR files under "lib" folder, system would get it. You don’t need to have specific code in specific JAR file. Code from all the jar files under lib folder is considered as one big code, and based on the class invoked its corresponding code gets executed from that one big code. Please correct me if this is not right. Also, should we include the filters in web.xml file under "[Tomcat]\conf\" folder or under "WEB-INF" folder of my application? Regards, Mohammad -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 30 May 2017 21:06 To: users@tomcat.apache.org Subject: Re: Security Headers Implementation in Tomcat 6.x version -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mohammad, On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote: > Thanks for the valuable input, that helps!! We shall go with getting > the source package of Tomcat 7, put them in Tomcat 6 and use the > filters of Tomcat 7 in Tomcat 6. > > Can you please let me know from where I can get/download the source > package of Tomcat 7? Also can you please share the location of the > source package in Tomcat 6 so that we can replace it with the one from > Tomcat 7? The source download for Tomcat 7 is in the same place all the other downloads are. You will not need the source for Tomcat 6, nor will you need to build the complete source-to-binary for Tomcat 7. Just grab the source, take the classes you need, and compile them against the servlet JAR you already have for Tomcat 6. Feel free to re-name the packages if they are awkward for you to compile/install and then just reference the new class names in your application/server. Remember to watch for patches to those source files in Tomcat 7 in case they include e.g. security updates -- you'll want to apply those same updates to the code you have taken from Tomcat 7. A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is backward-compatible with all spec-compliant applications, though it does behave differently sometimes as the Servlet Experts Group has clarified certain questions or added new capabilities (like annotation-processing). I recommend a long period of testing with a new version of Tomcat, but I also recommend that you begin that testing as soon as possible. Tomcat 6 will probably receive *no further updates, security or otherwise*, even if a vulnerability is foun d. - -chris > -----Original Message----- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: > users@tomcat.apache.org Subject: Re: Security Headers Implementation > in Tomcat 6.x version > > Mohammad, > > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote: >> Based on your inputs, we are thinking to put Apache httpd in front of >> Tomcat 6 server, since our header configuration is going to be >> static. > > This might not be a bad idea for a number of reasons, but it is by no > means required. > > You can download the Tomcat 7 source package and use the security > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that > actually requires Tomcat 7 to run. > >> Can you please help us in identifying which version of Apache HTTP >> Server we can use for Tomcat 6 version? Also, it will be great if you >> can share some guidelines on how to implement Apache in front of >> Tomcat. > All supported versions of Apache web server work with app supported > versions of Tomcat (as well as Tomcat 6). You have several choices for > how to connect them together, but the most straightforward is to use > mod_proxy_http from httpd to Tomcat. > Tomcat behaves exactly as it did before and requires no additional > configuration unless you are moving TLS termination from Tomcat to > httpd. If that's the case, there are many guides on the web as well as > on Tomcat's Presentations Page[2] that document how to do that. > > Hope that helps, -chris > > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] > http://tomcat.apache.org/presentations.html > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > ________________________________ > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you > have received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is prohibited. > Where allowed by local law, electronic communications with Accenture > and its affiliates, including e-mail and instant messaging (including > content), may be scanned by our systems for the purposes of > information security and assessment of internal compliance with > Accenture policy. > ______________________________________________________________________ ________________ > > > www.accenture.com > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLZFGAAoJEBzwKT+lPKRYFlEQAMWx2/ngj4vEeoQfZU4rRFlH 1Mscn61MUFJdrVBFkVF+NR86m8clUt8Kw1MKZNGexMXcKjrIllqnVPJUQxjyvgai bsDndUDGT/BrFtyLWg8B68mUok+X3dcv4NrhokRQ4phpKM4vADIl6bqi6Uxmp1sX rRyjx0ZGnKTKEw2rJgAzp22OP7OURz5eyOayMNLBvCFcXBNLagC9uhuCuG39Hhjx 9FBjDZZDuFbLpWSH65pakWwU0vhcl2D45641n5dKwEyAsOPdrdJMBrjIE/ruj6/R pkxgawkIHTIWBdq9DoJzTZjD4opnsowlYpLwE7SrTQ7zy8YJ+9Pr2YoKZhBWsh+g Fd0F0FprIfWV7V7hQosY/q2yFgMBHBRlnLVO3n9ZdzWW0Wl8+YZNDI0svuEBzP6T U6YgnaUtm35XroBUyaYCA5ucjMbiY4S8ow0O7+8fHPjYmA4LDlGz5QLZdhiIsvtk ceoHWYy5hFlRyo2PXbmHSzkpOU6AJ7naGxesjKJL5XK+VN3Bh+JdUgi6NnQOgov3 984q7QAMB5ngdKwfW2/96pCLvSoMptSST653bGI8eDbt8byIivZEkXuRg1P3Pk/a ygRahHV7GxLHIZczAOoNspZxXlaDOBrgpSUZ+Yo31byBS+e4l7MRjKIDGElS51GP E6i6GV+37TsmOyY2aObW =OejA -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com
