Clarity

  • Private Community
 View Only

  • 1.  Tomcat Query

    Posted Nov 25, 2015 08:44 AM

    Hi guys,

     

    our application security team recommended that we make 3 changes to enhance our Clarity application's security:

     

    1. Ensure that the secure flag is set for cookies.

    2. Ensure that the HTTPOnly flag is set for cookies

    3. Disable all unnecessary methods in the web server config (PUT and DELETE)

     

    To implement we did the following:

     

    1.

    In D:\apache\apache-tomcat-7.0.55 open the server.xml file.                                     

    Add below parameter (in bold) in server.xml under Connector port syntax:

                                    

    <Connector port="8080" protocol="HTTP/1.1"                                                                         

    connectionTimeout="60000"                                                                                         

    redirectPort="8443"

    secure="true"/> 

     

    2.

    In In D:\apache\apache-tomcat-7.0.55\conf open the context.xml file.                          

    Add the below parameter in context.xml after Context:                                                     

     

    <Context useHttpOnly="true">

     

    3.

    In In D:\apache\apache-tomcat-7.0.55\conf open the web.xml file.                                                 

    insert a <security-constraint> element directly under the <web-app> element: 

     

     

    <security-constraint>

    <web-resource-collection>

    <web-resource-name>restricted methods</web-resource-name>

    <url-pattern>/*</url-pattern>

    <http-method>PUT</http-method>

    <http-method>DELETE</http-method>

    </web-resource-collection>

    <auth-constraint />

    </security-constraint>

     

    After we applied the above we rebooted the application server.

    Since then though we have been unable to login to Clarity.

     

    Can anyone please advise? Thanks.



  • 2.  Re: Tomcat Query
    Best Answer

    Broadcom Employee
    Posted Nov 25, 2015 10:04 AM

    Hi Colin,

     

    There is an option in PPM to do it via csa

     

     

    Use HttpOnly Session Cookie( Enabling this setting will prevent the sessionId cookie from being accessible from HTML portlets through JavaScript. )

     

     



  • 3.  Re: Tomcat Query

    Posted Nov 25, 2015 11:00 AM

    Thank you Suman.

     

    We actually figured out the problem and it didn't have anything to do with the changes made to the Tomcat config.

    Your tip is useful to know though as it is a lot "cleaner" to make this change in the CSA, rather than by editing files.