Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Which web.xml is used by Confluence?

Colin Craigie
Colin Craigie
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 12, 2023

Confluence 7.19.6 on Windows Server 2019 Standard and Tomcat 9.0.65

Hi. Hope someone can advise with this please? Our penetration test threw up a few things that need to be addressed. One thing is MULTIPLE MISSING HTTP SECURITY HEADERS

I have found that these can be added to, or already exist in the web.xml. Now I am confused about which web.xml is being used by Confluence. There is the web.xml in Atlassian\Conf and another one in Atlassian\Confluence\confluence\WEB-INF

I was of the opinion that it is using the web.xml in WEB-INF but that does not contain anything related to httpHeaderSecurity whereas the one in conf does. In the conf web.xml they are all commented out. The WEB-INF web.xml contains references to Confluence whereas the conf/web.xml appears to be entirely generic

Perhaps both are in play in some form or another? Which file should I be adding my HTTP Headers to in order to tighten up my web application security please?

Since I have Confluence connected to JIRA and am using JIRA Directory Server I also need to be careful that I don't unwittingly break my access between the two applications

Any assistance or advice gratefully received. TIA 

 

Answer
Watch
Like Be the first to like this
1564 views

1 answer

1 accepted

1 vote
Answer accepted
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 12, 2023

Welcome to the Atlassian Community!

You don't tell us exactly where the two web.xml files are, so I can't really answer the question completely.  Not in a "missing data" sense - you have given us a couple of partial paths which is very clear, but I can't tell what they are from what you have said.

The question is what is in the directories you've given us - not the content, but what it's for.  Where is your Confluence installed in relation to those directories?

As an example, I've got a development system on this machine that has

./confluence/webapp/WEB-INF/web.xml
./container/tomcat9x/apache-tomcat-9.0.11/conf/web.xml

There's a pile of extra ones because it is a development system, but I've removed them from the list to keep it simple.  However, it isn't in quite the same structure as a standard non-development install.

The important bit here is that the web.xml in the Confluence/webapp is a config file for the application, and the web.xml in the Tomcat directory is the config file for Tomcat.

The Confluence application does not do headers itself; it simply runs on Tomcat and assumes that it has been configured to serve up the pages Confluence generates.

I think you need to be looking at the Tomcat web.xml.  Unless you want to try to do something clever with different pages or areas in Confluence, it's going to be best just to have Tomcat apply the same headers for everything Confluence serves.  Confluence is an application; Tomcat is a web-application-server, it's going to be easier and better to do security stuff in the application server (but if you're behind a proxy, I'd recommend that being the first place to look - most people I work with make Internet -> Apache/Nginx -> Tomcat on a local and totally firewalled server -> Atlassian application, and do most of the security at the Apache/Nginx level)

Whatever you want to tighten up, it is unlikely to break your Confluence/Jira connection - that's a simple call over http or https to the Jira server that doesn't look at headers like browsers do.

View More Comments
Colin Craigie
Colin Craigie
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 17, 2023

Hi Nic

Thank you so much for taking the time to respond to me. The application is installed as follows: D:\Program Files\Atlassian

So the paths are D:\Atlassian\Conf\web.xml (The Tomcat one) and D:\Program Files\Atlassian\Confluence\confluence\WEB-INF (The Confluence one)

The Confluence folder contains the following files and folders

Directory of D:\Program Files\Atlassian\Confluence\confluence\WEB-INF

03/04/2023 08:41 <DIR> .
03/04/2023 08:41 <DIR> ..
03/04/2023 08:40 <DIR> atlassian-bundled-plugins
03/04/2023 08:40 <DIR> atlassian-bundled-plugins-setup
03/04/2023 08:40 <DIR> classes
22/02/2023 04:32 6,971 decorators.xml
22/02/2023 04:32 15,163 glue-config.xml
03/04/2023 08:41 <DIR> lib
03/04/2023 08:41 <DIR> osgi-framework-bundles
03/04/2023 08:41 <DIR> packages
22/02/2023 04:32 1,968 server-config.wsdd
22/02/2023 04:32 1,301 sitemesh.xml
22/02/2023 04:32 965 urlrewrite.xml
02/05/2023 15:35 1,985 web.xml

But really, you have given me the answer I was looking for so that's great. Thank you very much :-)

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.