Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Tomcat Query

Status
Not open for further replies.

tickles23

Technical User
Nov 25, 2015
1
US
Hi guys,

our application security team recommended that we make 3 changes to enhance our application's security:

1. Ensure that the secure flag is set for cookies.
2. Ensure that the HTTPOnly flag is set for cookies
3. Disable all unnecessary methods in the web server config (PUT and DELETE)

To implement we did the following:

1.
In D:\apache\apache-tomcat-7.0.55 open the server.xml file.
Add below parameter (in bold) in server.xml under Connector port syntax:

<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="60000"
redirectPort="8443"
secure="true"/>

2.
In In D:\apache\apache-tomcat-7.0.55\conf open the context.xml file.
Add the below parameter in context.xml after Context:

<Context useHttpOnly="true">

3.
In In D:\apache\apache-tomcat-7.0.55\conf open the web.xml file.
insert a <security-constraint> element directly under the <web-app> element:


<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

After we applied the above we rebooted the application server.
Since then though we have been unable to login to Clarity.

Can anyone please advise? Thanks.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top