tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Apache TomCat 5.5
Date Thu, 15 Sep 2016 15:00:38 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 9/14/16 7:04 PM, André Warnier (tomcat) wrote:
> Mary, have a look here :
> http://tomcat.apache.org/whichversion.html Tomcat 5.5 was first
> released about 10 years ago, and the last modification to it was in
> 2012. The current "stable" version is Tomcat 8.5.5.
> 
> For Open Source and free software such as Apache Tomcat, that means
> that your chances of getting support and help for such an old
> version are really not good, because most of the people which would
> be able to help you probably do not run that version anywhere
> anymore. Even the documentation is not directly available on-line
> anymore.
> 
> Regarding your particular issue, it is even possible that the 
> requirement which you are mentioning is younger than Tomcat 5.5
> and cannot be met by such an old software version. It is even
> likely that, considering the age of your Tomcat and the age of the
> Java JVM it is probably running under, there are a whole lot of 
> other security issues with your server, which make it impossible to
> make it "secure as the government requires".
> 
> What I am saying is that you are probably wasting your time, and 
> ultimately your employer's time, with this approach.
> 
> You seem to mention below that you are using Tomcat "with IIS".
> Maybe this IIS is a front-end to Tomcat, and users access Tomcat
> always through IIS. If so, then as long as the connection between
> IIS and Tomcat is secure (e.g. they run on the same host), then you
> should probably take care of the SSL/HTTPS (and header) aspect on
> the IIS front-end. That is, if you /really/ cannot upgrade Tomcat
> and if your applications /really/ do not run under a newer version
> of Tomcat and Java.

HSTS is just an HTTP header thing. It can be deployed on any version
of anything basically back until the beginning of (HTTP) time.

It's slightly easier to do with more recent Tomcats because of the
inclusion of both the HTTP Header Security Filter[1] and the rewrite
valve[2] (oddly not mentioned in the "Valves" section of the
"Configuration" reference), but anyone can write a simple Filter and
add it to their web application to add these headers. In fact, I
wouldn't surprised if Tomcat's HTTP Header Security Filter included
with Tomcat 8+ would work just fine on Tomcat 5.5. You just need to
grab the code, compile it, and drop it into your own application.

Since you mentioned IIS, I think you're right that IIS is probably a
better place to configure these HSTS headers.

Mary, ultimately, Tomcat 5.5 should definitely be upgraded to Tomcat 8
or later. You should take your web application and deploy it on Tomcat
8.0 or Tomcat 8.5 in a testing environment and just see what happens.
You might be surprised: it will probably with right away without any
modifications.

Hope that helps,
- -chris

[1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
[2] http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX2reWAAoJEBzwKT+lPKRYp7MQAJ6nRq3m47o2BEX6nwTBNFFb
lcOfn/2L0dTfhESp/7EHqAcJaTvCHT6JH+RKplQ4gito4cJ8F2tp0HBiLRNukxjB
dxnZL7q5j6Z/41vrLMWX94WI4zz1PMqlhrEMI0/pEtRQFx07h0aE7WLp4CY6JMTl
dCGcuqkEgzNmjL1se+3+Aj3uVd0QAYESfT24AbLK0MHyrkmtIhRfr8W03C/ouD8M
9xcZ9f9BemvneI2zwiUelXaTvE4sCkPf3ULp/xw0MNYGLgl6VS8yByt1KwQsFzal
YPK+UL+k/JK6sxvGpsVLTvmY6StWYXOJZzp4C38YHxj7L5exDpDc/gCAClGm5kM/
uS1vVLL8jlkxby6k3mk5eU43M/HZkgAL+3FNjYCOcnvlsyJKsvQ9qai7Mal2N1Zt
jolFNDZCxWxfXLBPM/BLnfaYTYS6FXWZmAT5QrbnqAoxG9iKWsiMloPym8xdO36+
vIxOeNevWZif7MbpRUw84oOtcCAm1aZcyjXjwxQwWNciczocZg8d3DSJY53wqcrL
nAx5zVbxE5h3nBKSuuNl3s1WGXf7hySYxWyCg7Ya67EsGGeDT1rlLaotXI8PdKOL
qB32fz6PRJZspxJDefQGSHWrjq3gBAqeNFzp/3vj9tmvdCDkdzT0xNJH9s/6YGVE
7whnGB6jlseII/fYe6s1
=hetE
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message