How to Configure Tomcat and Set STRICT_SERVLET

Products

CA Spectrum DX NetOps

Issue/Introduction

For highly secure sites, tomcat servers are required to have STRICT_SERVLET_COMPLIANCE enabled

Finding ID	Version	Rule ID	IA Controls	Severity
V-223002	TCAT-AS-001660	SV-223002r615938_rule		Low

STRICT_SERVLET_COMPLIANCE must be set to true. (stigviewer.com)

Rule Title: STRICT_SERVLET_COMPLIANCE must be set to true.

Discussion: Strict Servlet Compliance forces Tomcat to adhere to standards specifications including but not limited to RFC2109. RFC2109 sets the standard for HTTP session management. This setting affects several settings which primarily pertain to cookie headers, cookie values, and sessions. Cookies will be parsed for strict adherence to specifications.

Note that changing a number of these default settings may break some systems, as some browsers are unable to correctly handle the cookie headers that result from a strict adherence to the specifications.

This one setting changes the default values for the following settings:

org.apache.catalina.core.
ApplicationContext.GET_RESOURCE_REQUIRE_SLASH
org.apache.catalina.core.
ApplicationDispatcher.WRAP_SAME_OBJECT
org.apache.catalina.core.
StandardHostValve.ACCESS_SESSION
org.apache.catalina.session.
StandardSession.ACTIVITY_CHECK
org.apache.catalina.session.
StandardSession.LAST_ACCESS_AT_START
org.apache.tomcat.util.http.
ServerCookie.ALWAYS_ADD_EXPIRES
org.apache.tomcat.util.http.
ServerCookie.FWD_SLASH_IS_SEPARATOR
org.apache.tomcat.util.http.
ServerCookie.PRESERVE_COOKIE_HEADER
org.apache.tomcat.util.http.
ServerCookie.STRICT_NAMING
The resourceOnlyServlets attribute of any Context element.
The tldValidation attribute of any Context element.
The useRelativeRedirects attribute of any Context element.
The xmlNamespaceAware attribute of any Context element.
The xmlValidation attribute of any Context element.

Check Text: If the system has an ISSM risk acceptance for operational issues that arise due to this setting, this is not a finding.

From the Tomcat server as a privileged user, run the following command:

sudo grep -i strict_servlet /etc/systemd/system/tomcat.service

If there are no results, or if the
-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE is not set to true, this is a finding.

Environment

Release : 20.2 and above

Component : Spectrum OneClick

Resolution

For Spectrum 21.2.6 and below:

1) Edit: $SPECROOT/tomcat/conf/catalina.properties
Add: org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true

Example:

2) Edit: $SPECROOT/tomcat/conf/context.xml

Change:
<Context>

To:
<Context xmlValidation="false" webXmlNamespaceAware="false" tldValidation="false">

Example:

3) Restart tomcat
cd $SPECROOT/tomcat/bin/
./stopTomcat.sh
./startTomcat.sh

For Spectrum 21.2.8 and above:

The $SPECROOT/tomcat/conf/context.xml has the entry out of the box.

The $SPECROOT/tomcat/conf/catalina.properties file has the following two entries at the bottom of the file:

org.apache.catalina.STRICT_SERVLET_COMPLIANCE=false
org.apache.catalina.connector.RECYCLE_FACADES=false

Change these entries to the following and restart tomcat.

org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true
org.apache.catalina.connector.RECYCLE_FACADES=true