To be more complete on security we added MinimumErrorReportValve ( https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/valve/MinimumErrorReportValve.java;h=7e772b4ab3f12476abe432458e59f0f3d34dc081;hb=da4ef5872953dd0f29e1147d3cd7f7d14a73ca0a ) to replace the default tomcat error valve by configuration to even force to hide the tomcat info on error page when they are not configured.
@Andy: you didnt deactivated all headers by default since server and xpoweredBy are 2 different things. I'd just completely revert it keeping conf 1-1 with tomcat. Will not be activated anyway by guys in prod IMO. Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber <http://www.tomitribe.com> 2015-05-07 23:35 GMT+02:00 Andy <[email protected]>: > Well that info was not, and has never been, available to a client via that > header and I'm not sure it's a good idea to ever expose actual server > versions anyway. > As Romain stated, the server info is also available. I added/exposed the > xpoweredBy attribute (which is still always off by default anyway), just so > you can see it is there and switch it on if you like. > > This 'server' header was recently used to determine what servers are out > and about by a statistics provider, so I have just changed the default > 'Apache Tomcat 7.0.x' to 'Apache TomEE'. The version here is just not > important. > You should never use it for anything other than statistics. Many servers > pretend to be something else or turn it off anyway (to deter hacks). > > If you actually want to turn it off then setting it to an empty or > arbitrary string will hide it altogether. > > If you need provide server details to clients then best do it over an > authenticated end-point. > > Andy. > > > On 07/05/2015 23:17, Jay McHugh wrote: > >> Or maybe at least an indication of which JavaEE version it supports? >> >> On Thu, May 7, 2015 at 4:15 PM Jay McHugh <[email protected]> wrote: >> >> Shouldn't the header include a version number then (at least a major >>> version) so that it can be differentiated between TomEE 1.5.x, 1.6.x, >>> 1.7.x, etc? >>> >>> It is a little bit more to remember to change but I think that it would >>> be >>> at least as valuable as the change from Tomcat to TomEE. >>> >>> No? >>> >>> On Thu, May 7, 2015 at 4:11 PM Andy <[email protected]> wrote: >>> >>> Some crawlers are using that header as the evaluation. Default is Apache >>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give >>>> us better standing. >>>> >>>> Andy. >>>> >>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote: >>>> >>>>> PS (sorry hit enter without wishing it): asking cause I wouldn't have >>>>> >>>> it on >>>> >>>>> by default as a user >>>>> >>>>> >>>>> Romain Manni-Bucau >>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>> <http://rmannibucau.wordpress.com> | Github < >>>>> >>>> https://github.com/rmannibucau> | >>>> >>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>> <http://www.tomitribe.com> >>>>> >>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <[email protected]>: >>>>> >>>>> Hi >>>>>> >>>>>> What's the goal? We already switch server info,isnt it enough? >>>>>> >>>>>> Romain Manni-Bucau >>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>> <http://rmannibucau.wordpress.com> | Github >>>>>> <https://github.com/rmannibucau> | LinkedIn >>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>> <http://www.tomitribe.com> >>>>>> >>>>>> ---------- Forwarded message ---------- >>>>>> From: <[email protected]> >>>>>> Date: 2015-05-07 22:03 GMT+02:00 >>>>>> Subject: tomee git commit: TomEE header >>>>>> To: [email protected] >>>>>> >>>>>> >>>>>> Repository: tomee >>>>>> Updated Branches: >>>>>> refs/heads/master 2c4047e14 -> 268b57c86 >>>>>> >>>>>> >>>>>> TomEE header >>>>>> >>>>>> >>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo >>>>>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8 >>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8 >>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8 >>>>>> >>>>>> Branch: refs/heads/master >>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808 >>>>>> Parents: 2c4047e >>>>>> Author: [email protected] <[email protected]> >>>>>> Authored: Thu May 7 22:03:35 2015 +0200 >>>>>> Committer: [email protected] <[email protected]> >>>>>> Committed: Thu May 7 22:03:35 2015 +0200 >>>>>> >>>>>> ---------------------------------------------------------------------- >>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +- >>>>>> .../java/org/apache/tomee/installer/Installer.java | 17 >>>>>> >>>>> +++++++++++++++++ >>>> >>>>> 2 files changed, 18 insertions(+), 1 deletion(-) >>>>>> ---------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>> >>>>> ---------------------------------------------------------------------- >>>>>> diff --git >>>>>> >>>>>> >>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>> >>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>> >>>>> index 70fcf6f..17731b9 100644 >>>>>> --- >>>>>> >>>>>> >>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>> >>>>> +++ >>>>>> >>>>>> >>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>> >>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT { >>>>>> " <!-- TomEE plugin for Tomcat -->\n" + >>>>>> " <Listener >>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" + >>>>>> " <Service name=\"Catalina\">\n" + >>>>>> - " <Connector port=\"" + http + "\" >>>>>> >>>>> protocol=\"HTTP/1.1\" >>>> >>>>> />\n" + >>>>>> + " <Connector port=\"" + http + "\" >>>>>> >>>>> protocol=\"HTTP/1.1\" >>>> >>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" + >>>>>> " <Engine name=\"Catalina\" >>>>>> >>>>> defaultHost=\"localhost\">\n" + >>>> >>>>> " <Host name=\"localhost\" appBase=\"webapps\"\n" >>>>>> + >>>>>> " unpackWARs=\"true\" >>>>>> autoDeploy=\"true\">\n" >>>>>> >>>>> + >>>> >>>>> >>>>>> >>>>>> >>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>> >>>>> ---------------------------------------------------------------------- >>>>>> diff --git >>>>>> >>>>>> >>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>> >>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>> >>>>> index 0308c3d..60bd8f7 100644 >>>>>> --- >>>>>> >>>>>> >>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>> >>>>> +++ >>>>>> >>>>>> >>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>> >>>>> @@ -448,6 +448,23 @@ public class Installer implements >>>>>> >>>>> InstallerInterface { >>>> >>>>> alerts.addError("Error while adding listener to >>>>>> >>>>> server.xml >>>> >>>>> file", e); >>>>>> } >>>>>> >>>>>> + //Add TomEE header >>>>>> + try { >>>>>> + newServerXml = Installers.replace(serverXmlOriginal, >>>>>> + "<Connector port=\"8080\"", >>>>>> + "<Connector port=\"8080\"", >>>>>> + "/>", >>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" >>>>>> >>>>> />"); >>>> >>>>> + >>>>>> + newServerXml = Installers.replace(serverXmlOriginal, >>>>>> + "<Connector port=\"8443\"", >>>>>> + "<Connector port=\"8443\"", >>>>>> + "/>", >>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" >>>>>> >>>>> />"); >>>> >>>>> + } catch (final IOException e) { >>>>>> + alerts.addError("Error adding server attribute to >>>>>> >>>>> server.xml >>>> >>>>> file", e); >>>>>> + } >>>>>> + >>>>>> // overwrite server.xml >>>>>> if (Installers.writeAll(paths.getServerXmlFile(), >>>>>> >>>>> newServerXml, >>>> >>>>> alerts)) { >>>>>> alerts.addInfo("Add OpenEJB listener to server.xml"); >>>>>> >>>>>> >>>>>> >>>>>> -- >>>> Andy Gumbrecht >>>> https://twitter.com/AndyGeeDe >>>> >>>> >>>> > -- > Andy Gumbrecht > https://twitter.com/AndyGeeDe > >
