Neither the JAVA_HOME nor the JRE_HOME environment variable is defined
At least one of these environment variable is needed to run this program
在 bin/setclasspath.sh 文件中新增 JAVA 环境变量
export JAVA_HOME=JDK目录
export JRE_HOME=JRE目录
示例:
export JAVA_HOME=/opt/java/jdk1.8.0_221
export JRE_HOME=/opt/java/jdk1.8.0_221/jre
在 bin/setclasspath.bat 文件中新增 JAVA 环境变量
SET JAVA_HOME=JDK目录
SET JRE_HOME=JRE目录
示例:
SET JAVA_HOME=D:\\software\\java\\jdk-8u221-windows
SET JRE_HOME=D:\\software\\java\\jdk-8u221-windows\\jre
访问页面是报错 400
java.lang.IllegalArgumentException: Request header is too large
conf/server.xml
配置文件,Connector
部分新增 maxHttpHeaderSize="819200"
<Connector port="18080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxHttpHeaderSize="819200" />
conf/context.xml
配置文件,Context
中新增如下配置<Resources cachingAllowed="true" cacheMaxSize="2000000" />
配置 https 之后报错如下:
10-May-2024 16:28:22.494 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
10-May-2024 16:28:22.709 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11Protocol-auto-null]]
org.apache.catalina.LifecycleException: Protocol handler instantiation failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1046)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at org.apache.catalina.startup.Catalina.load(Catalina.java:686)
at org.apache.catalina.startup.Catalina.load(Catalina.java:709)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
第一步:安装 apr 和 openssl
yum install apr-devel openssl-devel
第二步: 安装 Native
示例:
wget https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.3.0/source/tomcat-native-1.3.0-src.tar.gz
cd tomcat-native-1.3.0-src/native
./configure --prefix=$CATALINA_HOME --with-java-home=$JAVA_HOME --with-ssl=yes
make && make install
vim setenv.sh
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/apr/lib
x-frame-options
标头扫描漏洞时提示没有 x-frame-options
标头
XFrameOptionsFilter
conf/web.xml
配置文件,新增如下配置<filter>
<filter-name>XFrameOptionsFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderFilter</filter-class>
<init-param>
<param-name>headerName</param-name>
<param-value>X-Frame-Options</param-value>
</init-param>
<init-param>
<param-name>headerValue</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
其中
headerValue
为允许嵌入iframe
的类型。DENY
表示不允许任何嵌套;SAMEORIGIN
表示允许同源(相同域名及端口)嵌套;ALLOW-FROM
表示允许指定源嵌套
<filter-mapping>
<filter-name>XFrameOptionsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
HttpHeaderSecurity
conf/web.xml
配置文件,新增如下配置<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>xssProtection</param-name>
<param-value>1; mode=block</param-value>
</init-param>
<init-param>
<param-name>contentSecurityPolicy</param-name>
<param-value>default-src 'self'</param-value>
</init-param>
</filter>
其中
antiClickJackingOption
为允许嵌入iframe
的类型。DENY
表示不允许任何嵌套;SAMEORIGIN
表示允许同源(相同域名及端口)嵌套;ALLOW-FROM
表示允许指定源嵌套
<filter-mapping>
<filter-name>XFrameOptionsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>