tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Apache TomCat 5.5
Date Wed, 21 Sep 2016 16:44:49 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mary,

On 9/21/16 10:51 AM, Pham, Mary (NIH/OD/ORS) [E] wrote:
> Thank you.  Chris, Chuck, Andre, Mark who had answered and I've
> done this far. My report.
> 
> - I installed the "URL rewrite" module on IIS 7.  To make short,
> it worked.  http to https redirected then enforced hsts on the IIS 
> site. - but broke all the scripts run on Tomcat due to Strick
> Transport Security when HTTPS. - so I have to disable in/outbound
> of URL rewrite.
> 
> Back to square one.  We will not be able to upgrade Tomcat at this
> time.

So you have several requirements, here:

1. Stay on Tomcat 5.5
2. Implement HSTS
3. Have your scripts all work

It sounds like #2 and #3 conflict, since evidently HSTS "broke all the
scripts to run on Tomcat".

Your only option is to fix your application so that it will work with
HSTS enabled.

Upgrading Tomcat doesn't really have any bearing on any of this, since
you could upgrade Tomcat and still not enable HSTS.

- -chris

> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: Thursday, September 15,
> 2016 11:01 AM To: Tomcat Users List <users@tomcat.apache.org> 
> Subject: Re: Apache TomCat 5.5
> 
> André,
> 
> On 9/14/16 7:04 PM, André Warnier (tomcat) wrote:
>> Mary, have a look here : 
>> http://tomcat.apache.org/whichversion.html Tomcat 5.5 was first 
>> released about 10 years ago, and the last modification to it was
>> in 2012. The current "stable" version is Tomcat 8.5.5.
> 
>> For Open Source and free software such as Apache Tomcat, that
>> means that your chances of getting support and help for such an
>> old version are really not good, because most of the people which
>> would be able to help you probably do not run that version
>> anywhere anymore. Even the documentation is not directly
>> available on-line anymore.
> 
>> Regarding your particular issue, it is even possible that the 
>> requirement which you are mentioning is younger than Tomcat 5.5
>> and cannot be met by such an old software version. It is even
>> likely that, considering the age of your Tomcat and the age of
>> the Java JVM it is probably running under, there are a whole lot
>> of other security issues with your server, which make it
>> impossible to make it "secure as the government requires".
> 
>> What I am saying is that you are probably wasting your time, and
>>  ultimately your employer's time, with this approach.
> 
>> You seem to mention below that you are using Tomcat "with IIS". 
>> Maybe this IIS is a front-end to Tomcat, and users access Tomcat
>>  always through IIS. If so, then as long as the connection
>> between IIS and Tomcat is secure (e.g. they run on the same
>> host), then you should probably take care of the SSL/HTTPS (and
>> header) aspect on the IIS front-end. That is, if you /really/
>> cannot upgrade Tomcat and if your applications /really/ do not
>> run under a newer version of Tomcat and Java.
> 
> HSTS is just an HTTP header thing. It can be deployed on any
> version of anything basically back until the beginning of (HTTP)
> time.
> 
> It's slightly easier to do with more recent Tomcats because of the
> inclusion of both the HTTP Header Security Filter[1] and the
> rewrite valve[2] (oddly not mentioned in the "Valves" section of
> the "Configuration" reference), but anyone can write a simple
> Filter and add it to their web application to add these headers. In
> fact, I wouldn't surprised if Tomcat's HTTP Header Security Filter
> included with Tomcat 8+ would work just fine on Tomcat 5.5. You
> just need to grab the code, compile it, and drop it into your own
> application.
> 
> Since you mentioned IIS, I think you're right that IIS is probably
> a better place to configure these HSTS headers.
> 
> Mary, ultimately, Tomcat 5.5 should definitely be upgraded to
> Tomcat 8 or later. You should take your web application and deploy
> it on Tomcat 8.0 or Tomcat 8.5 in a testing environment and just
> see what happens. You might be surprised: it will probably with
> right away without any modifications.
> 
> Hope that helps, -chris
> 
> [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX4rkBAAoJEBzwKT+lPKRYa6cP/jtLjcSwgDchFVib86/5NJ1z
b4Sb6v0M+0XXTej5FUBe7YUWpBSsuwl/XqOwvuqP+JtPaUMHLdUIK4S3MEw6r1UT
ap/xXqneQK+U9lZEloMWpvCcXKfxKVrhx4ZsOqNWOS4KqHTklcnJmtqFpdmgvPdq
dfkszeP+WAGF/ojC8SUSYpZlYtzqvKjS3OLiMnk2DM/vxfx1bM9rlE4vTBhKnigS
jaj1VPH/q0IlxflVqw9nua5imvqCJ0Ptdz4eOrMeRCKhpLqVfnRBxowZ2A7bNXBk
ls23UmdgKrgUVGkrEuvsdZYESYLU4Ij8C+rsJxE+sWPxWEBJTuu0qKLR9q41wLWQ
0aovoRJS9gmsDTzByoGZCDZimBEKDM8AKmlKHNdtK4J6fGMNOmzMuuVc+wLKL4P6
s5RBI3haI4TTJxrWkaznvGG4BQbKAqbZ7M0Uct/xivbqo1XoMwJsHw89scW+SPd/
N/b9KdQkr7LBOq6D3n1G7AgHPC/0MwUVL6IfSN7ycT5eepky98Q2UGKi8hm7npTD
1/jEgQOATQCYs91cyM8yZB30Tdfi9/SUG7y/aEvsXFbOZWK2v5C1TB8/CAUY0Ayo
R/3/PK3V/iM+4Yw1Tf4t7Jn6T2I+vMvuyMGzqm4BKKi2/GbgnaNnv9L0HbhSZZtI
d3/B5DfASBU69cr3j6Ue
=gDm3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message