tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat)>
Subject Re: security headers
Date Thu, 02 Nov 2017 13:35:46 GMT
You seem to be responding on the wrong thread, but here are some answers anyway
(will save Christopher some typing)

On 02.11.2017 13:55, Cheltenham, Chris wrote:
> Mr. Shultz,
> I really appreciate your detailed answers.
> Helps me out a lot.
> I am now thinking big picture because my application does not require APR..
> May I ask this , what exactly does APR give me for apache-tomcat?

APR stands for "Apache Portable Run-time".
Here is one explanation :

It is a software library, containing a series of functions which are often used by Apache

Foundation programs of all kinds (not only tomcat), particularly in what regards network 
interfaces and protocols.
The people who make this APR, make sure that it is available for many platforms (Windows,

Liux etc.), and that it is really optimised for each of these different platforms.

To access the network, tomcat can do it in 2 different ways :
1) by using standard Java functions, which always work, but are not particularly optimised

for any platform
2) if APR is available, then tomcat can use instead, some calls which exist in the APR 
library, and which may be more optimised fo the current platform on which it is running

When tomcat starts, it will check if APR is available. If yes, tomcat will use it, because

it is probably a bit faster than the Java alternative.
If APR is not available, tomcat will use the standard Java functions, which are maybe a 
bit slower.
And just to let you know that, it will print a friendly message to the log, to let you 
know that maybe this is not the most optimal solution, in terms of ultimate tomcat 
performance.  But this is just an informational message, and you can decide to ignore it,

and run tomcat anyway without APR (which many people do, and most of the time they will 
not notice the difference).

There is a secondary effect which needs to be considered when using SSL (HTTPS) :
When tomcat finds and uses APR, it uses APR functions to access SSL sockets. And these APR

functions rely on the underlying presence of SSL libraries provided by another package, 
named OpenSSL. These OpenSSL libraries require a particular format for the SSL keys and 
key stores.
When tomcat does not find APR, it will use the builtin Java functions for SSL. And these 
builtin functions require another format for the SSL keys and key stores.
So the parameters used in the <Connector> elements are a bit different in each case.
This is well explained in the tomcat on-line documentation.

> I am thinking to scrap the whole APR install.
> The reason I am trying to install it is because of my anal need to have
> clean logs.

I won't even try to interpret this..

> I can’t stand any messages suggesting or recommending that I do this or
> that.

They are just friendly messages, like the Amazon "other readers who have purchased this 
book, have also liked this : ... "

> I have always tried to accommodate those recommendations.

Ah, ok. I thought you could not stand them ?

> However, in this case it may be the best to ignore the catalane log message
> saying that I should install APR.

catalane ? that's been quite a bit in the news lately. But we're quite apolitical here, 
and so is tomcat usually.

> ===========================
> Thank You;
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
> Work # 215-400-5025
> Cell # 215-301-6571
> -----Original Message-----
> From: Christopher Schultz []
> Sent: Wednesday, November 1, 2017 4:04 PM
> To:
> Subject: Re: security headers
> Hash: SHA256
> Alejandro,
> On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:
>> Hello,
>> I recently used on web.xml
>> <filter> <filter-name>httpHeaderSecurity</filter-name>
>> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
> lter-class>
>>   <async-supported>true</async-supported> </filter>
>> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name>
>> <url-pattern>/*</url-pattern> </filter-mapping>
>> to enable some security headers, but it won't enable Content Security
>> Policy header. Is there anyway to enable Content Security Policy at
>> top server level???
> What were you expecting that Filter to generate for you? A header which
> disables everything? Not terribly useful.
> My recommendation would be to use something like url-rewrite[1] to add
> headers to every outgoing response. url-rewrite has very similar
> capabilities to httpd's mod_headers (and much more, of course).
> - -chris
> [1]
> Comment: GPGTools -
> Comment: Using GnuPG with Thunderbird -
> pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
> //iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
> WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
> oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
> 98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
> 37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
> CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+
> Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM
> ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58
> wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8
> G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8=
> =j1H+
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message