Sure security is all about children...
Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber <http://www.tomitribe.com> 2015-05-08 0:19 GMT+02:00 Andy <[email protected]>: > I was just thinking 'Kindergarten', how strange... > > On 08/05/2015 00:17, Romain Manni-Bucau wrote: > >> hmm this answer doesnt make sense for me, I surely miss something but read >> it like "hey there is this property you can switch on true but if you >> google you'll see you shouldn't" >> >> >> Romain Manni-Bucau >> @rmannibucau <https://twitter.com/rmannibucau> | Blog >> <http://rmannibucau.wordpress.com> | Github < >> https://github.com/rmannibucau> | >> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >> <http://www.tomitribe.com> >> >> 2015-05-08 0:15 GMT+02:00 Andy <[email protected]>: >> >> This is what I said and the reason I changed it. And yes the constants >>> have that for 'server' now, and have also had other values in the past. >>> >>> So to be even more complete and correct myself.... changed it from >>> "Apache >>> Coyote/1.1" to "Apache TomEE", which is still better IMHO. >>> >>> @Romain: "you encourage it by making it on the front of the scene." >>> >>> That's like saying I'm encouraging someone to change the 'port', which is >>> also potentially dangerous when put into the hands of an idiot. >>> I like, and hope, to think that exposing a property would encourage >>> someone to look it up before changing it blindly. The very first google >>> hit >>> on 'xpoweredBy' will enlighten even the most fickle reader. >>> >>> Sorry if my opinion just does not fit in on that. Another hour of my life >>> wasted. >>> >>> Andy. >>> >>> >>> On 07/05/2015 23:58, Romain Manni-Bucau wrote: >>> >>> 2015-05-07 23:56 GMT+02:00 Andy <[email protected]>: >>>> >>>> Also, for completeness: >>>> >>>>> xpoweredBy="*false*" activates nothing, if it were xpoweredBy="*true*" >>>>> then maybe that might just 'activate' whatever it is you think is being >>>>> activated here? >>>>> >>>>> >>>>> you encourage it by making it on the front of the scene. >>>>> >>>> >>>> server="*Apache TomEE*" merely changes the existing value and also >>>> >>>>> 'activates' nothing. I don't see where you think this is a security >>>>> issue? >>>>> Happy to learn though, so please point me to the specific code that >>>>> this >>>>> affects? >>>>> >>>>> >>>>> it is on by default is not overrided by the app. >>>>> >>>> >>>> Andy. >>>> >>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote: >>>>> >>>>> You activated 2 different headers which is useless since we change >>>>> >>>>>> serverinfo by default you already get tomee here. >>>>>> >>>>>> That said this is not the real issue. Doing it is a standard security >>>>>> issue, that is why it is off by default in tomcat so I suggest to not >>>>>> set >>>>>> it on by default >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Romain Manni-Bucau >>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>> https://github.com/rmannibucau> | >>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>> <http://www.tomitribe.com> >>>>>> >>>>>> 2015-05-07 23:10 GMT+02:00 Andy <[email protected]>: >>>>>> >>>>>> Some crawlers are using that header as the evaluation. Default is >>>>>> Apache >>>>>> >>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will >>>>>>> give >>>>>>> us >>>>>>> better standing. >>>>>>> >>>>>>> Andy. >>>>>>> >>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote: >>>>>>> >>>>>>> PS (sorry hit enter without wishing it): asking cause I wouldn't >>>>>>> have it >>>>>>> >>>>>>> on >>>>>>>> by default as a user >>>>>>>> >>>>>>>> >>>>>>>> Romain Manni-Bucau >>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>> https://github.com/rmannibucau> | >>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>> <http://www.tomitribe.com> >>>>>>>> >>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau < >>>>>>>> [email protected] >>>>>>>> >>>>>>>>> : >>>>>>>>> >>>>>>>> Hi >>>>>>>> >>>>>>>> What's the goal? We already switch server info,isnt it enough? >>>>>>>> >>>>>>>>> Romain Manni-Bucau >>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>> <http://rmannibucau.wordpress.com> | Github >>>>>>>>> <https://github.com/rmannibucau> | LinkedIn >>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>>> <http://www.tomitribe.com> >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------- Forwarded message ---------- >>>>>>>>> From: <[email protected]> >>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00 >>>>>>>>> Subject: tomee git commit: TomEE header >>>>>>>>> To: [email protected] >>>>>>>>> >>>>>>>>> >>>>>>>>> Repository: tomee >>>>>>>>> Updated Branches: >>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86 >>>>>>>>> >>>>>>>>> >>>>>>>>> TomEE header >>>>>>>>> >>>>>>>>> >>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo >>>>>>>>> Commit: >>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8 >>>>>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8 >>>>>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8 >>>>>>>>> >>>>>>>>> Branch: refs/heads/master >>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808 >>>>>>>>> Parents: 2c4047e >>>>>>>>> Author: [email protected] <[email protected]> >>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200 >>>>>>>>> Committer: [email protected] <[email protected]> >>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +- >>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17 >>>>>>>>> +++++++++++++++++ >>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-) >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>> diff --git >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>> index 70fcf6f..17731b9 100644 >>>>>>>>> --- >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>> +++ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT { >>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" + >>>>>>>>> " <Listener >>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" + >>>>>>>>> " <Service name=\"Catalina\">\n" + >>>>>>>>> - " <Connector port=\"" + http + "\" >>>>>>>>> protocol=\"HTTP/1.1\" >>>>>>>>> />\n" + >>>>>>>>> + " <Connector port=\"" + http + "\" >>>>>>>>> protocol=\"HTTP/1.1\" >>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" + >>>>>>>>> " <Engine name=\"Catalina\" >>>>>>>>> defaultHost=\"localhost\">\n" + >>>>>>>>> " <Host name=\"localhost\" >>>>>>>>> appBase=\"webapps\"\n" >>>>>>>>> + >>>>>>>>> " unpackWARs=\"true\" >>>>>>>>> autoDeploy=\"true\">\n" + >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>> diff --git >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>> index 0308c3d..60bd8f7 100644 >>>>>>>>> --- >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>> +++ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements >>>>>>>>> InstallerInterface { >>>>>>>>> alerts.addError("Error while adding listener to >>>>>>>>> server.xml >>>>>>>>> file", e); >>>>>>>>> } >>>>>>>>> >>>>>>>>> + //Add TomEE header >>>>>>>>> + try { >>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal, >>>>>>>>> + "<Connector port=\"8080\"", >>>>>>>>> + "<Connector port=\"8080\"", >>>>>>>>> + "/>", >>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" >>>>>>>>> />"); >>>>>>>>> + >>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal, >>>>>>>>> + "<Connector port=\"8443\"", >>>>>>>>> + "<Connector port=\"8443\"", >>>>>>>>> + "/>", >>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" >>>>>>>>> />"); >>>>>>>>> + } catch (final IOException e) { >>>>>>>>> + alerts.addError("Error adding server attribute to >>>>>>>>> server.xml >>>>>>>>> file", e); >>>>>>>>> + } >>>>>>>>> + >>>>>>>>> // overwrite server.xml >>>>>>>>> if (Installers.writeAll(paths.getServerXmlFile(), >>>>>>>>> newServerXml, >>>>>>>>> alerts)) { >>>>>>>>> alerts.addInfo("Add OpenEJB listener to >>>>>>>>> server.xml"); >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> Andy Gumbrecht >>>>>>>> >>>>>>> https://twitter.com/AndyGeeDe >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>> Andy Gumbrecht >>>>> https://twitter.com/AndyGeeDe >>>>> >>>>> >>>>> >>>>> -- >>> Andy Gumbrecht >>> https://twitter.com/AndyGeeDe >>> >>> >>> > -- > Andy Gumbrecht > https://twitter.com/AndyGeeDe > >
