You're kidding right. Now you're clutching straws..... oh yea, let's add
the TomEE Plus. :-D
Night.
On 08/05/2015 00:34, Romain Manni-Bucau wrote:
2015-05-08 0:32 GMT+02:00 Andy <[email protected]>:
Yes yes whatever, you win (not that this was ever intended to be a
competition, you just seem to enjoy making it into one every single
time)... I am going to bed. Complete waste of my time. You still imply that
I have unsecured something?
you make tomee easily identifiable compared to tomcat (= any java server of
the web more or less). This way it is super easy to know that you can
exploit a cxf issue for instance, thing you don't know with default header.
On 08/05/2015 00:26, Romain Manni-Bucau wrote:
not what I said.
I said:
1) over exposing a variable you shouldnt activate is useless
2) we shouldnt set Apache TomEE to server variable by default
Happy to replace these defaults by a server.xml.sample or anothing you
judge appropriated while we stay aligned on tomcat default secured
settings
(also note that Apache Coyote is secured cause most of servers have it
otherwise it would be as Apache TomEE)
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-08 0:24 GMT+02:00 Andy <[email protected]>:
Hmm, so why do you want to treat the system administrator like one?
On 08/05/2015 00:21, Romain Manni-Bucau wrote:
Sure security is all about children...
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-08 0:19 GMT+02:00 Andy <[email protected]>:
I was just thinking 'Kindergarten', how strange...
On 08/05/2015 00:17, Romain Manni-Bucau wrote:
hmm this answer doesnt make sense for me, I surely miss something but
read
it like "hey there is this property you can switch on true but if you
google you'll see you shouldn't"
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-08 0:15 GMT+02:00 Andy <[email protected]>:
This is what I said and the reason I changed it. And yes the
constants
have that for 'server' now, and have also had other values in the
past.
So to be even more complete and correct myself.... changed it from
"Apache
Coyote/1.1" to "Apache TomEE", which is still better IMHO.
@Romain: "you encourage it by making it on the front of the scene."
That's like saying I'm encouraging someone to change the 'port',
which
is
also potentially dangerous when put into the hands of an idiot.
I like, and hope, to think that exposing a property would encourage
someone to look it up before changing it blindly. The very first
google
hit
on 'xpoweredBy' will enlighten even the most fickle reader.
Sorry if my opinion just does not fit in on that. Another hour of my
life
wasted.
Andy.
On 07/05/2015 23:58, Romain Manni-Bucau wrote:
2015-05-07 23:56 GMT+02:00 Andy <[email protected]>:
Also, for completeness:
xpoweredBy="*false*" activates nothing, if it were
xpoweredBy="*true*"
then maybe that might just 'activate' whatever it is you think is
being
activated here?
you encourage it by making it on the front of the scene.
server="*Apache TomEE*" merely changes the existing value and
also
'activates' nothing. I don't see where you think this is a
security
issue?
Happy to learn though, so please point me to the specific code that
this
affects?
it is on by default is not overrided by the app.
Andy.
On 07/05/2015 23:21, Romain Manni-Bucau wrote:
You activated 2 different headers which is useless since we
change
serverinfo by default you already get tomee here.
That said this is not the real issue. Doing it is a standard
security
issue, that is why it is off by default in tomcat so I suggest to
not
set
it on by default
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-07 23:10 GMT+02:00 Andy <[email protected]>:
Some crawlers are using that header as the evaluation.
Default
is
Apache
Tomcat 7.0.x etc and it is always on, so having Apache TomEE
will
give
us
better standing.
Andy.
On 07/05/2015 22:38, Romain Manni-Bucau wrote:
PS (sorry hit enter without wishing it): asking cause I
wouldn't
have it
on
by default as a user
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
[email protected]
:
Hi
What's the goal? We already switch server info,isnt it
enough?
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github
<https://github.com/rmannibucau> | LinkedIn
<https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
---------- Forwarded message ----------
From: <[email protected]>
Date: 2015-05-07 22:03 GMT+02:00
Subject: tomee git commit: TomEE header
To: [email protected]
Repository: tomee
Updated Branches:
refs/heads/master 2c4047e14 -> 268b57c86
TomEE header
Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit:
http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
Tree:
http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
Diff:
http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
Branch: refs/heads/master
Commit: 268b57c868c055e3788b85d6ed6a192da094e808
Parents: 2c4047e
Author: [email protected] <[email protected]>
Authored: Thu May 7 22:03:35 2015 +0200
Committer: [email protected] <[email protected]>
Committed: Thu May 7 22:03:35 2015 +0200
----------------------------------------------------------------------
.../apache/tomee/RemoteTomEEEJBContainerIT.java | 2
+-
.../java/org/apache/tomee/installer/Installer.java | 17
+++++++++++++++++
2 files changed, 18 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
----------------------------------------------------------------------
diff --git
a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
index 70fcf6f..17731b9 100644
---
a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
+++
b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
@@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
" <!-- TomEE plugin for Tomcat -->\n" +
" <Listener
className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
" <Service name=\"Catalina\">\n" +
- " <Connector port=\"" + http + "\"
protocol=\"HTTP/1.1\"
/>\n" +
+ " <Connector port=\"" + http + "\"
protocol=\"HTTP/1.1\"
xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
" <Engine name=\"Catalina\"
defaultHost=\"localhost\">\n" +
" <Host name=\"localhost\"
appBase=\"webapps\"\n"
+
" unpackWARs=\"true\"
autoDeploy=\"true\">\n" +
http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
----------------------------------------------------------------------
diff --git
a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
index 0308c3d..60bd8f7 100644
---
a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
+++
b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
@@ -448,6 +448,23 @@ public class Installer implements
InstallerInterface {
alerts.addError("Error while adding
listener to
server.xml
file", e);
}
+ //Add TomEE header
+ try {
+ newServerXml =
Installers.replace(serverXmlOriginal,
+ "<Connector port=\"8080\"",
+ "<Connector port=\"8080\"",
+ "/>",
+ "xpoweredBy=\"false\" server=\"Apache
TomEE\"
/>");
+
+ newServerXml =
Installers.replace(serverXmlOriginal,
+ "<Connector port=\"8443\"",
+ "<Connector port=\"8443\"",
+ "/>",
+ "xpoweredBy=\"false\" server=\"Apache
TomEE\"
/>");
+ } catch (final IOException e) {
+ alerts.addError("Error adding server attribute to
server.xml
file", e);
+ }
+
// overwrite server.xml
if
(Installers.writeAll(paths.getServerXmlFile(),
newServerXml,
alerts)) {
alerts.addInfo("Add OpenEJB listener to
server.xml");
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
