not what I said. I said: 1) over exposing a variable you shouldnt activate is useless 2) we shouldnt set Apache TomEE to server variable by default
Happy to replace these defaults by a server.xml.sample or anothing you judge appropriated while we stay aligned on tomcat default secured settings (also note that Apache Coyote is secured cause most of servers have it otherwise it would be as Apache TomEE) Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber <http://www.tomitribe.com> 2015-05-08 0:24 GMT+02:00 Andy <[email protected]>: > Hmm, so why do you want to treat the system administrator like one? > > On 08/05/2015 00:21, Romain Manni-Bucau wrote: > >> Sure security is all about children... >> >> >> Romain Manni-Bucau >> @rmannibucau <https://twitter.com/rmannibucau> | Blog >> <http://rmannibucau.wordpress.com> | Github < >> https://github.com/rmannibucau> | >> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >> <http://www.tomitribe.com> >> >> 2015-05-08 0:19 GMT+02:00 Andy <[email protected]>: >> >> I was just thinking 'Kindergarten', how strange... >>> >>> On 08/05/2015 00:17, Romain Manni-Bucau wrote: >>> >>> hmm this answer doesnt make sense for me, I surely miss something but >>>> read >>>> it like "hey there is this property you can switch on true but if you >>>> google you'll see you shouldn't" >>>> >>>> >>>> Romain Manni-Bucau >>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>> <http://rmannibucau.wordpress.com> | Github < >>>> https://github.com/rmannibucau> | >>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>> <http://www.tomitribe.com> >>>> >>>> 2015-05-08 0:15 GMT+02:00 Andy <[email protected]>: >>>> >>>> This is what I said and the reason I changed it. And yes the constants >>>> >>>>> have that for 'server' now, and have also had other values in the past. >>>>> >>>>> So to be even more complete and correct myself.... changed it from >>>>> "Apache >>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO. >>>>> >>>>> @Romain: "you encourage it by making it on the front of the scene." >>>>> >>>>> That's like saying I'm encouraging someone to change the 'port', which >>>>> is >>>>> also potentially dangerous when put into the hands of an idiot. >>>>> I like, and hope, to think that exposing a property would encourage >>>>> someone to look it up before changing it blindly. The very first google >>>>> hit >>>>> on 'xpoweredBy' will enlighten even the most fickle reader. >>>>> >>>>> Sorry if my opinion just does not fit in on that. Another hour of my >>>>> life >>>>> wasted. >>>>> >>>>> Andy. >>>>> >>>>> >>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote: >>>>> >>>>> 2015-05-07 23:56 GMT+02:00 Andy <[email protected]>: >>>>> >>>>>> Also, for completeness: >>>>>> >>>>>> xpoweredBy="*false*" activates nothing, if it were >>>>>>> xpoweredBy="*true*" >>>>>>> then maybe that might just 'activate' whatever it is you think is >>>>>>> being >>>>>>> activated here? >>>>>>> >>>>>>> >>>>>>> you encourage it by making it on the front of the scene. >>>>>>> >>>>>>> server="*Apache TomEE*" merely changes the existing value and >>>>>> also >>>>>> >>>>>> 'activates' nothing. I don't see where you think this is a security >>>>>>> issue? >>>>>>> Happy to learn though, so please point me to the specific code that >>>>>>> this >>>>>>> affects? >>>>>>> >>>>>>> >>>>>>> it is on by default is not overrided by the app. >>>>>>> >>>>>>> Andy. >>>>>> >>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote: >>>>>>> >>>>>>> You activated 2 different headers which is useless since we change >>>>>>> >>>>>>> serverinfo by default you already get tomee here. >>>>>>>> >>>>>>>> That said this is not the real issue. Doing it is a standard >>>>>>>> security >>>>>>>> issue, that is why it is off by default in tomcat so I suggest to >>>>>>>> not >>>>>>>> set >>>>>>>> it on by default >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Romain Manni-Bucau >>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>> https://github.com/rmannibucau> | >>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>> <http://www.tomitribe.com> >>>>>>>> >>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <[email protected]>: >>>>>>>> >>>>>>>> Some crawlers are using that header as the evaluation. Default >>>>>>>> is >>>>>>>> Apache >>>>>>>> >>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will >>>>>>>> >>>>>>>>> give >>>>>>>>> us >>>>>>>>> better standing. >>>>>>>>> >>>>>>>>> Andy. >>>>>>>>> >>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote: >>>>>>>>> >>>>>>>>> PS (sorry hit enter without wishing it): asking cause I >>>>>>>>> wouldn't >>>>>>>>> have it >>>>>>>>> >>>>>>>>> on >>>>>>>>> >>>>>>>>>> by default as a user >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Romain Manni-Bucau >>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>>>> <http://www.tomitribe.com> >>>>>>>>>> >>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau < >>>>>>>>>> [email protected] >>>>>>>>>> >>>>>>>>>> : >>>>>>>>>>> >>>>>>>>>>> Hi >>>>>>>>>> >>>>>>>>>> What's the goal? We already switch server info,isnt it enough? >>>>>>>>>> >>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github >>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn >>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>>>>> <http://www.tomitribe.com> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ---------- Forwarded message ---------- >>>>>>>>>>> From: <[email protected]> >>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00 >>>>>>>>>>> Subject: tomee git commit: TomEE header >>>>>>>>>>> To: [email protected] >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Repository: tomee >>>>>>>>>>> Updated Branches: >>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> TomEE header >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo >>>>>>>>>>> Commit: >>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8 >>>>>>>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8 >>>>>>>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8 >>>>>>>>>>> >>>>>>>>>>> Branch: refs/heads/master >>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808 >>>>>>>>>>> Parents: 2c4047e >>>>>>>>>>> Author: [email protected] <[email protected]> >>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200 >>>>>>>>>>> Committer: [email protected] <[email protected]> >>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +- >>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17 >>>>>>>>>>> +++++++++++++++++ >>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>> diff --git >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>> index 70fcf6f..17731b9 100644 >>>>>>>>>>> --- >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>> +++ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT { >>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" + >>>>>>>>>>> " <Listener >>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" + >>>>>>>>>>> " <Service name=\"Catalina\">\n" + >>>>>>>>>>> - " <Connector port=\"" + http + "\" >>>>>>>>>>> protocol=\"HTTP/1.1\" >>>>>>>>>>> />\n" + >>>>>>>>>>> + " <Connector port=\"" + http + "\" >>>>>>>>>>> protocol=\"HTTP/1.1\" >>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" + >>>>>>>>>>> " <Engine name=\"Catalina\" >>>>>>>>>>> defaultHost=\"localhost\">\n" + >>>>>>>>>>> " <Host name=\"localhost\" >>>>>>>>>>> appBase=\"webapps\"\n" >>>>>>>>>>> + >>>>>>>>>>> " unpackWARs=\"true\" >>>>>>>>>>> autoDeploy=\"true\">\n" + >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>> diff --git >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>> index 0308c3d..60bd8f7 100644 >>>>>>>>>>> --- >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>> +++ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements >>>>>>>>>>> InstallerInterface { >>>>>>>>>>> alerts.addError("Error while adding listener to >>>>>>>>>>> server.xml >>>>>>>>>>> file", e); >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> + //Add TomEE header >>>>>>>>>>> + try { >>>>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal, >>>>>>>>>>> + "<Connector port=\"8080\"", >>>>>>>>>>> + "<Connector port=\"8080\"", >>>>>>>>>>> + "/>", >>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache >>>>>>>>>>> TomEE\" >>>>>>>>>>> />"); >>>>>>>>>>> + >>>>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal, >>>>>>>>>>> + "<Connector port=\"8443\"", >>>>>>>>>>> + "<Connector port=\"8443\"", >>>>>>>>>>> + "/>", >>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache >>>>>>>>>>> TomEE\" >>>>>>>>>>> />"); >>>>>>>>>>> + } catch (final IOException e) { >>>>>>>>>>> + alerts.addError("Error adding server attribute to >>>>>>>>>>> server.xml >>>>>>>>>>> file", e); >>>>>>>>>>> + } >>>>>>>>>>> + >>>>>>>>>>> // overwrite server.xml >>>>>>>>>>> if (Installers.writeAll(paths.getServerXmlFile(), >>>>>>>>>>> newServerXml, >>>>>>>>>>> alerts)) { >>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to >>>>>>>>>>> server.xml"); >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> Andy Gumbrecht >>>>>>>>>>> >>>>>>>>>> https://twitter.com/AndyGeeDe >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> Andy Gumbrecht >>>>>>>> >>>>>>> https://twitter.com/AndyGeeDe >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>> Andy Gumbrecht >>>>> https://twitter.com/AndyGeeDe >>>>> >>>>> >>>>> >>>>> -- >>> Andy Gumbrecht >>> https://twitter.com/AndyGeeDe >>> >>> >>> > -- > Andy Gumbrecht > https://twitter.com/AndyGeeDe > >
