Hi James,
see below:
Am 2019-10-21 23:34, schrieb James H. H. Lampert:
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
antiClickJackingOption
SAMEORIGIN
Mark mentioned it before, that can also go into your apps web.xml and
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
antiClickJackingOption
SAMEORIGIN
In the filter mapping section of the web.xml add the following.
httpHeaderSecurity
/*
REQUEST
Before I installed the above filte
Thanks to all who have responded (especially Mr. Schultz), and thanks in
advance to anybody else who responds. It will be a few more days before I can
act on the information. I'm not ignoring any of you; I'm gathering information
so I can solve the problem ASAP upon my return to work from my vac
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 10/2/19 01:34, jam...@touchtonecorp.com wrote:
> We have a customer who is particularly concerned about security.
>
> We just updated their Tomcat, which solved all the issues coming up
> in their security scan, except for one involving th
On 02/10/2019 07:05, jonmcalexan...@wellsfargo.com.INVALID wrote:
> Tomcat 7.0.63 and above.
>
> Navigate to the tomcat conf directory and open the web.xml with a text editor.
If you edit $CATALINA_BASE/conf/web.xml that will apply to every web
application deployed on the Tomcat instance. You may
Hi James,
Peter Kreuser
> Am 02.10.2019 um 08:05 schrieb
> :
>
> Tomcat 7.0.63 and above.
>
> Navigate to the tomcat conf directory and open the web.xml with a text editor.
>
> In the filter section of the web.xml add the following filter
>
>
> httpHeaderSecurity
>
> org.apache.cata
Tomcat 7.0.63 and above.
Navigate to the tomcat conf directory and open the web.xml with a text editor.
In the filter section of the web.xml add the following filter
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
antiClickJackingOption
SAME
gt; Date: Fri, 12 Jul 2013 13:53:39 +0530
> Subject: Re: Security Issue in Tomcat
> From: pe.chanaka...@gmail.com
> To: users@tomcat.apache.org
>
> Hi Ognjen,
>
> On 12.7.2013 6:51, Chanaka Dharmarathna wrote:
> >
> >> I'm using Tomcat 7.0.40 for hosted
Hi Ognjen,
On 12.7.2013 6:51, Chanaka Dharmarathna wrote:
>
>> I'm using Tomcat 7.0.40 for hosted application. I have not configured any
>> user accounts for tomcat (admin, manager, user etc.). Recently my deployed
>> web application was damaged. Restarting tomcat recovered it back.
>>
>> But it s
Chanaka,
On 12.7.2013 6:51, Chanaka Dharmarathna wrote:
I'm using Tomcat 7.0.40 for hosted application. I have not configured any
user accounts for tomcat (admin, manager, user etc.). Recently my deployed
web application was damaged. Restarting tomcat recovered it back.
But it seems someone tri
2012/9/30 Konstantin Kolinko :
> 2012/9/28 Christopher Schultz :
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Konstantin,
>>
>> On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
>>> 2012/9/28 Joan Morales :
Hi,
I have a security issue (hijack session) with JSESSIONID cookie
2012/9/28 Christopher Schultz :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Konstantin,
>
> On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
>> 2012/9/28 Joan Morales :
>>> Hi,
>>>
>>> I have a security issue (hijack session) with JSESSIONID cookie,
>>>
>>> here is the problem:
>>>
>>> I am
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Joan,
On 9/28/12 1:27 PM, Joan Morales wrote:
> I already try with AJP, but I cant get rid of the JSESSIONID cookie
> either
Can you please describe your configuration for that scenario again?
Your original description was a bit hard to follow.
- -c
Hi Cris,
I already try with AJP, but I cant get rid of the JSESSIONID cookie either
Regards,
--
Joan Morales
El 28/09/2012, a las 19:11, Christopher Schultz
escribió:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Konstantin,
>
> On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
>> 2012
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Konstantin,
On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
> 2012/9/28 Joan Morales :
>> Hi,
>>
>> I have a security issue (hijack session) with JSESSIONID cookie,
>>
>> here is the problem:
>>
>> I am using an architecture with an Apache2 server i
Hi Joan,
"cookie", from my understanding, uses the
SSL session-ID as the cookie-value in the Tomcat container. This value
will be different from what Apache assigns on the front-end SSL connection
to the browser (as Konstantin pointed out). With tracking-mode COOKIE, I
believe, a JSESSIONID cook
I put the
SSL because I thought It was necessary to handle
the SSL on TC, anyways I'll change It to COOKIE and see what happens.
Another couple of ideas were to use a Valve for SSL on TC or enable the
mod_header on Apache, but any idea on how this would help?
Thanks,
Joan
--
Joan Morales
Hi Joan,
What happens when you change the web.xml settings to:
--web.xml:
30
COOKIE
--
Thanks.
-Shanti
On Fri, Sep 28, 2012 at 10:58 AM, Konstantin Kolinko wrote:
> 2012/9/28 Martin Gainty :
> >
> > that is NOT what
2012/9/28 Martin Gainty :
>
> that is NOT what the op asked for
>
> if the OP is implementing ssl via her FE Apache then she needs to implement
> and config mod-ssl on that FE apache server
>
> You need to Understand what the op environment is before criticising the
> solution
> Martin
The OP as
Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
> Date: Fri, 28 Sep 2012 20:52:14 +0800
> Subject: RE: Security issue regarding JSESSIONID cookie
> From: malibo8...@gmail
2012/9/28 Joan Morales :
> Hi,
>
> I have a security issue (hijack session) with JSESSIONID cookie,
>
> here is the problem:
>
> I am using an architecture with an Apache2 server in front of Tomcat, I
> have configured the SSL in both sides Apache(ssl_module) and
> Tomcat(Conectors JSSE),
>
> 1)
Yes, just use all the static configuration on Apache servers, including
requests via 80,443. and afterward, redirect them to the backend(your
tomcat server). i think it should be okay what your mentioned of SSL
configuration.
在 2012-9-28 下午3:18,"Joan Morales" 写道:
> I understand what you say, but
I understand what you say, but I need to go through apache to get into my
tomcat, and if I just implement a "redirect" to the port :8443, the apache
tells me that I need to use a SSLCertificateKeyFile, how can I configure
the apache as a proxy to tomcat without specifying a SSLCertificateKeyFile?
actually, there is no news to configure SSL both in Apache and tomcat. just
one side is okay. Apache or tomcat.
在 2012-9-28 下午2:01,"Martin Gainty" 写道:
>
> you'll need to configure Apache mod_ssl to implement either Basic or
> SSLRequire authentication
> http://httpd.apache.org/docs/2.2/ssl/ssl_ho
you'll need to configure Apache mod_ssl to implement either Basic or SSLRequire
authentication
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#arbitraryclients
with regards to external hosts i would suggest you deny all and allow secure
access to only TC host to the secure folder of apache
Frank Peters wrote:
> Hi,
>
> I found the following security issue at security focus:
>
> http://www.securityfocus.com/bid/19106/info
>
> In my opinion, this issue is fixed with #37150 in 5.5.13 because directory
> listing is disabled by default, isn't it?
>
> Regards
> Frank
In short, yes.
26 matches
Mail list logo
