How to Configure Tomcat to Enable ENFORCE_ENCODING_IN_GET_WRITER (V-223005)
Article ID: 219709
Updated On:
Products
Issue/Introduction
Secure sites require the ENFORCE_ENCODING_IN_GET_WRITER setting to be configured and set to true.
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-223005 | TCAT-AS-001690 | SV-223005r615938_rule | Medium |
ENFORCE_ENCODING_IN_GET_WRITER must be set to true. (stigviewer.com)
Rule Title: The Java Security Manager must be enabled.
From the Tomcat server as a privileged user, run the following command:
sudo grep -i enforce_encoding /etc/systemd/system/tomcat.service
If there are no results, or if the org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER is not ="true", this is a finding.
Fix Text (F-24666r426460_fix)
From the Tomcat server as a privileged user:
Edit the /etc/systemd/system/tomcat.service file, and either add or edit the org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER setting.
Set the org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true
EXAMPLE:
Environment='CATALINA_OPTS -Dorg.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true'
Restart the Tomcat server:
sudo systemctl restart tomcat
sudo systemctl daemon-reload
Environment
Release : 21.2
Component : Spectrum OneClick
Resolution
1. Created a file named setenv.sh in $SPECROOT/tomcat/bin/
2. Added the following to the setenv.sh
#!/bin/sh
CATALINA_OPTS="-Dorg.apache.catalina.connector.RECYCLE_FACADES=true,-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true,-Dorg.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true"
export UMASK="0027"
3. Restart tomcat
cd $SPECROOT/tomcat/bin/
./stopTomcat.sh
./startTomcat.sh
Feedback
