HSTS headers for /proxyui does not seem to be working after updating web.xml .
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
The curl request does not return the headers
curl -k -I https://<servername>.example.com:<port no>/proxyui/
HTTP/1.1 302
Location: /proxyui/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-0009521c-18c4-1c67xxxxxxxxxxxxxxxxxxx7f&GUID=&SMAUTHREASON=0&METHOD=HEAD&SMAGENTNAME=-SM-imULHpfXu5M4KVs2n8XmFhh21q4XBTFwmxixbPzkAiOoAPGF%2bccZ71VXLSXWWk9B&TARGET=-SM-httpsxxxxxxxxxxxxxxxxxxxxx%3a<port no>%2fproxyui%2f
Transfer-Encoding: chunked
Date: Tue, 20 Jun 2023 13:54:10 GMT
Server: Apache-Coyote/1.1
Release : 12.8.x
- ProxyValve is our first request interpreter on Tomcat.
- ProxyValve checks the resource is protected from policy server. If protected it checks for session and if session present validates with policy server.
If everything is good ProxyValve allows the request to flow down to hit next filters otherwise the request will return from proxy valve itself.
- In this case user hits /proxyui on tomcat port
ProxyValve received the request and checks is /proxyui protected from Policy Server, The resource is protected and no session present hence redirect to login.fcc page.
Though login.fcc is being served by tomcat but it is not yet hit the HSTS filter configured on web.xml as proxyvalve did not allowed the request to flow down as it did not have valid session but resource is protected.
Once we have valid smsession then proxyvalve allows the request to hit next filters , when the request flows down the next filters and it hits configured HSTS filter on web.xml then the response headers will be set.- Additional Questions
*** Question 1 --> /proxyui/test.jpg where he got a 404 not found and headers set , aren't we suppose to redirect to protected page here since /proxyui is protected ?
Answer : looks like rule is not matching and proxyvalve is getting not protected and allowing request to flow down
No issues with accessing /proxyui/test.jpg as .jpg will be in ignore extension the resource will be let to be executed by Tomcat so headers will be set
*** Question 2 --> for the / is it because, we don't allow root access on the Tomcat ?
Answer : yes