Re: tomee git commit: TomEE header

Andy Thu, 07 May 2015 15:33:06 -0700

Yes yes whatever, you win (not that this was ever intended to be acompetition, you just seem to enjoy making it into one every singletime)... I am going to bed. Complete waste of my time. You still implythat I have unsecured something?


On 08/05/2015 00:26, Romain Manni-Bucau wrote:

not what I said.


I said:
1) over exposing a variable you shouldnt activate is useless
2) we shouldnt set Apache TomEE to server variable by default

Happy to replace these defaults by a server.xml.sample or anothing you
judge appropriated while we stay aligned on tomcat default secured settings
(also note that Apache Coyote is secured cause most of servers have it
otherwise it would be as Apache TomEE)




Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-05-08 0:24 GMT+02:00 Andy <[email protected]>:

Hmm, so why do you want to treat the system administrator like one?

On 08/05/2015 00:21, Romain Manni-Bucau wrote:

Sure security is all about children...


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-05-08 0:19 GMT+02:00 Andy <[email protected]>:

  I was just thinking 'Kindergarten', how strange...

On 08/05/2015 00:17, Romain Manni-Bucau wrote:

  hmm this answer doesnt make sense for me, I surely miss something but

read
it like "hey there is this property you can switch on true but if you
google you'll see you shouldn't"


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-05-08 0:15 GMT+02:00 Andy <[email protected]>:

   This is what I said and the reason I changed it. And yes the constants

have that for 'server' now, and have also had other values in the past.

So to be even more complete and correct myself.... changed it from
"Apache
Coyote/1.1" to "Apache TomEE", which is still better IMHO.

@Romain: "you encourage it by making it on the front of the scene."

That's like saying I'm encouraging someone to change the 'port', which
is
also potentially dangerous when put into the hands of an idiot.
I like, and hope, to think that exposing a property would encourage
someone to look it up before changing it blindly. The very first google
hit
on 'xpoweredBy' will enlighten even the most fickle reader.

Sorry if my opinion just does not fit in on that. Another hour of my
life
wasted.

Andy.


On 07/05/2015 23:58, Romain Manni-Bucau wrote:

   2015-05-07 23:56 GMT+02:00 Andy <[email protected]>:

    Also, for completeness:

  xpoweredBy="*false*" activates nothing, if it were

xpoweredBy="*true*"
then maybe that might just 'activate' whatever it is you think is
being
activated here?


    you encourage it by making it on the front of the scene.

     server="*Apache TomEE*" merely changes the existing value and

also

  'activates' nothing. I don't see where you think this is a security

issue?
Happy to learn though, so please point me to the specific code that
this
affects?


    it is on by default is not overrided by the app.

     Andy.

  On 07/05/2015 23:21, Romain Manni-Bucau wrote:

    You activated 2 different headers which is useless since we change

  serverinfo by default you already get tomee here.

That said this is not the real issue. Doing it is a standard
security
issue, that is why it is off by default in tomcat so I suggest to
not
set
it on by default




Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-05-07 23:10 GMT+02:00 Andy <[email protected]>:

     Some crawlers are using that header as the evaluation. Default
is
Apache

   Tomcat 7.0.x etc and it is always on, so having Apache TomEE will

give
us
better standing.

Andy.

On 07/05/2015 22:38, Romain Manni-Bucau wrote:

     PS (sorry hit enter without wishing it): asking cause I
wouldn't
have it

   on

by default as a user


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
[email protected]

  :

Hi

    What's the goal? We already switch server info,isnt it enough?

  Romain Manni-Bucau

@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github
<https://github.com/rmannibucau> | LinkedIn
<https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>


---------- Forwarded message ----------
From: <[email protected]>
Date: 2015-05-07 22:03 GMT+02:00
Subject: tomee git commit: TomEE header
To: [email protected]


Repository: tomee
Updated Branches:
        refs/heads/master 2c4047e14 -> 268b57c86


TomEE header


Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit:
http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8

Branch: refs/heads/master
Commit: 268b57c868c055e3788b85d6ed6a192da094e808
Parents: 2c4047e
Author: [email protected] <[email protected]>
Authored: Thu May 7 22:03:35 2015 +0200
Committer: [email protected] <[email protected]>
Committed: Thu May 7 22:03:35 2015 +0200




----------------------------------------------------------------------
       .../apache/tomee/RemoteTomEEEJBContainerIT.java    |  2 +-
       .../java/org/apache/tomee/installer/Installer.java | 17
+++++++++++++++++
       2 files changed, 18 insertions(+), 1 deletion(-)



----------------------------------------------------------------------








http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java



----------------------------------------------------------------------
diff --git





a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java





b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
index 70fcf6f..17731b9 100644
---





a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
+++





b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
@@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
                   "  <!-- TomEE plugin for Tomcat -->\n" +
                   "  <Listener
className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
                   "  <Service name=\"Catalina\">\n" +
-            "    <Connector port=\"" + http + "\"
protocol=\"HTTP/1.1\"
/>\n" +
+            "    <Connector port=\"" + http + "\"
protocol=\"HTTP/1.1\"
xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
                   "    <Engine name=\"Catalina\"
defaultHost=\"localhost\">\n" +
                   "      <Host name=\"localhost\"
appBase=\"webapps\"\n"
+
                   "            unpackWARs=\"true\"
autoDeploy=\"true\">\n" +







http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java



----------------------------------------------------------------------
diff --git





a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java





b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
index 0308c3d..60bd8f7 100644
---





a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
+++





b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
@@ -448,6 +448,23 @@ public class Installer implements
InstallerInterface {
                   alerts.addError("Error while adding listener to
server.xml
file", e);
               }

+        //Add TomEE header
+        try {
+            newServerXml = Installers.replace(serverXmlOriginal,
+                    "<Connector port=\"8080\"",
+                    "<Connector port=\"8080\"",
+                    "/>",
+                    "xpoweredBy=\"false\" server=\"Apache
TomEE\"
/>");
+
+            newServerXml = Installers.replace(serverXmlOriginal,
+                    "<Connector port=\"8443\"",
+                    "<Connector port=\"8443\"",
+                    "/>",
+                    "xpoweredBy=\"false\" server=\"Apache
TomEE\"
/>");
+        } catch (final IOException e) {
+            alerts.addError("Error adding server attribute to
server.xml
file", e);
+        }
+
               // overwrite server.xml
               if (Installers.writeAll(paths.getServerXmlFile(),
newServerXml,
alerts)) {
                   alerts.addInfo("Add OpenEJB listener to
server.xml");




     --

        Andy Gumbrecht

       https://twitter.com/AndyGeeDe



    --

       Andy Gumbrecht

      https://twitter.com/AndyGeeDe



   --

     Andy Gumbrecht

     https://twitter.com/AndyGeeDe



  --

    Andy Gumbrecht
    https://twitter.com/AndyGeeDe

--
   Andy Gumbrecht
   https://twitter.com/AndyGeeDe


--
  Andy Gumbrecht
  https://twitter.com/AndyGeeDe

Re: tomee git commit: TomEE header

Reply via email to