Hi,
I am trying to set up HttpHeaderSecurityFilter for enhancing the security
of my website.
Filter is defined in $TOMCAT_HOME/conf/web.xml as follows:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value></param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
my apps directory has a web.xml file which contains following setting:
<security-constraint>
<web-resource-collection>
<web-resource-name>TilesComponents</web-resource-name>
<description>Tiles components</description>
<url-pattern>/tiles/*</url-pattern>
<url-pattern>/tiles/common/*</url-pattern>
<url-pattern>/layouts/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>inaccessible</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The HttpHeaderSecurityFilter works for all URLs except the pattern provided
in <security-constraints> setting. Following is the output of curl command.
You can see that HttpHeaderSucityFilter's headers are missing. These
headers are applied on all other URLs but do not work for this URL.
$curl -v https://myhost.mydomain.com/myapp/layouts/
* About to connect() to myhost.mydomain.com port 443 (#0)
* Trying 127.0.0.1...
* Connected to myhost.mydomain.com (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=*.mydomain.com
* start date: Dec 01 14:08:27 2021 GMT
* expire date: Jan 01 14:08:27 2023 GMT
* common name: *.mydomain.com
* issuer: CN=SSL.com RSA SSL subCA,O=SSL Corporation,L=Houston,ST=Texas,C=US
> GET /myapp/layouts/ HTTP/1.1
> User-Agent: curl/7.29.0
> Host: myhost.mydomain.com
> Accept: */*
>
< HTTP/1.1 403 403
< Date: Fri, 28 Jan 2022 13:18:03 GMT
< Server: Apache
< Cache-Control: private
< Content-Language: en
< Content-Length: 431
< Connection: close
< Content-Type: text/html;charset=utf-8
<
* Closing connection 0
<!doctype html><html lang="en"><head><title>HTTP Status 403 –
Forbidden</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;}
.line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 403 – Forbidden</h1></body></html>
Any help is really appreciated.
Thanks,
Jasvant
