...just read security documents you'll realize I don't. The minimumerrorvalve was not created for fun just to remove tomcat string from error pages!
Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber <http://www.tomitribe.com> 2015-05-08 0:41 GMT+02:00 Andy <[email protected]>: > You're kidding right. Now you're clutching straws..... oh yea, let's add > the TomEE Plus. :-D > > Night. > > > On 08/05/2015 00:34, Romain Manni-Bucau wrote: > >> 2015-05-08 0:32 GMT+02:00 Andy <[email protected]>: >> >> Yes yes whatever, you win (not that this was ever intended to be a >>> competition, you just seem to enjoy making it into one every single >>> time)... I am going to bed. Complete waste of my time. You still imply >>> that >>> I have unsecured something? >>> >>> >>> you make tomee easily identifiable compared to tomcat (= any java >> server of >> the web more or less). This way it is super easy to know that you can >> exploit a cxf issue for instance, thing you don't know with default >> header. >> >> >> On 08/05/2015 00:26, Romain Manni-Bucau wrote: >>> >>> not what I said. >>>> >>>> I said: >>>> 1) over exposing a variable you shouldnt activate is useless >>>> 2) we shouldnt set Apache TomEE to server variable by default >>>> >>>> Happy to replace these defaults by a server.xml.sample or anothing you >>>> judge appropriated while we stay aligned on tomcat default secured >>>> settings >>>> (also note that Apache Coyote is secured cause most of servers have it >>>> otherwise it would be as Apache TomEE) >>>> >>>> >>>> >>>> >>>> Romain Manni-Bucau >>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>> <http://rmannibucau.wordpress.com> | Github < >>>> https://github.com/rmannibucau> | >>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>> <http://www.tomitribe.com> >>>> >>>> 2015-05-08 0:24 GMT+02:00 Andy <[email protected]>: >>>> >>>> Hmm, so why do you want to treat the system administrator like one? >>>> >>>>> On 08/05/2015 00:21, Romain Manni-Bucau wrote: >>>>> >>>>> Sure security is all about children... >>>>> >>>>>> >>>>>> Romain Manni-Bucau >>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>> https://github.com/rmannibucau> | >>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>> <http://www.tomitribe.com> >>>>>> >>>>>> 2015-05-08 0:19 GMT+02:00 Andy <[email protected]>: >>>>>> >>>>>> I was just thinking 'Kindergarten', how strange... >>>>>> >>>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote: >>>>>>> >>>>>>> hmm this answer doesnt make sense for me, I surely miss something >>>>>>> but >>>>>>> >>>>>>> read >>>>>>>> it like "hey there is this property you can switch on true but if >>>>>>>> you >>>>>>>> google you'll see you shouldn't" >>>>>>>> >>>>>>>> >>>>>>>> Romain Manni-Bucau >>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>> https://github.com/rmannibucau> | >>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>> <http://www.tomitribe.com> >>>>>>>> >>>>>>>> 2015-05-08 0:15 GMT+02:00 Andy <[email protected]>: >>>>>>>> >>>>>>>> This is what I said and the reason I changed it. And yes the >>>>>>>> constants >>>>>>>> >>>>>>>> have that for 'server' now, and have also had other values in the >>>>>>>> >>>>>>>>> past. >>>>>>>>> >>>>>>>>> So to be even more complete and correct myself.... changed it from >>>>>>>>> "Apache >>>>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO. >>>>>>>>> >>>>>>>>> @Romain: "you encourage it by making it on the front of the scene." >>>>>>>>> >>>>>>>>> That's like saying I'm encouraging someone to change the 'port', >>>>>>>>> which >>>>>>>>> is >>>>>>>>> also potentially dangerous when put into the hands of an idiot. >>>>>>>>> I like, and hope, to think that exposing a property would encourage >>>>>>>>> someone to look it up before changing it blindly. The very first >>>>>>>>> google >>>>>>>>> hit >>>>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader. >>>>>>>>> >>>>>>>>> Sorry if my opinion just does not fit in on that. Another hour of >>>>>>>>> my >>>>>>>>> life >>>>>>>>> wasted. >>>>>>>>> >>>>>>>>> Andy. >>>>>>>>> >>>>>>>>> >>>>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote: >>>>>>>>> >>>>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <[email protected]>: >>>>>>>>> >>>>>>>>> Also, for completeness: >>>>>>>>> >>>>>>>>>> xpoweredBy="*false*" activates nothing, if it were >>>>>>>>>> >>>>>>>>>> xpoweredBy="*true*" >>>>>>>>>>> then maybe that might just 'activate' whatever it is you think is >>>>>>>>>>> being >>>>>>>>>>> activated here? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> you encourage it by making it on the front of the scene. >>>>>>>>>>> >>>>>>>>>>> server="*Apache TomEE*" merely changes the existing value >>>>>>>>>>> and >>>>>>>>>>> >>>>>>>>>>> also >>>>>>>>>> >>>>>>>>>> 'activates' nothing. I don't see where you think this is a >>>>>>>>>> security >>>>>>>>>> >>>>>>>>>> issue? >>>>>>>>>>> Happy to learn though, so please point me to the specific code >>>>>>>>>>> that >>>>>>>>>>> this >>>>>>>>>>> affects? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> it is on by default is not overrided by the app. >>>>>>>>>>> >>>>>>>>>>> Andy. >>>>>>>>>>> >>>>>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote: >>>>>>>>>> >>>>>>>>>> You activated 2 different headers which is useless since we >>>>>>>>>>> change >>>>>>>>>>> >>>>>>>>>>> serverinfo by default you already get tomee here. >>>>>>>>>>> >>>>>>>>>>> That said this is not the real issue. Doing it is a standard >>>>>>>>>>>> security >>>>>>>>>>>> issue, that is why it is off by default in tomcat so I suggest >>>>>>>>>>>> to >>>>>>>>>>>> not >>>>>>>>>>>> set >>>>>>>>>>>> it on by default >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>>>>>> <http://www.tomitribe.com> >>>>>>>>>>>> >>>>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <[email protected]>: >>>>>>>>>>>> >>>>>>>>>>>> Some crawlers are using that header as the evaluation. >>>>>>>>>>>> Default >>>>>>>>>>>> is >>>>>>>>>>>> Apache >>>>>>>>>>>> >>>>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE >>>>>>>>>>>> will >>>>>>>>>>>> >>>>>>>>>>>> give >>>>>>>>>>>> >>>>>>>>>>>>> us >>>>>>>>>>>>> better standing. >>>>>>>>>>>>> >>>>>>>>>>>>> Andy. >>>>>>>>>>>>> >>>>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I >>>>>>>>>>>>> wouldn't >>>>>>>>>>>>> have it >>>>>>>>>>>>> >>>>>>>>>>>>> on >>>>>>>>>>>>> >>>>>>>>>>>>> by default as a user >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | >>>>>>>>>>>>>> Tomitriber >>>>>>>>>>>>>> <http://www.tomitribe.com> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau < >>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>> >>>>>>>>>>>>>> : >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> What's the goal? We already switch server info,isnt it >>>>>>>>>>>>>> enough? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>>>> >>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github >>>>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn >>>>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>>>>>>>>> <http://www.tomitribe.com> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ---------- Forwarded message ---------- >>>>>>>>>>>>>>> From: <[email protected]> >>>>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00 >>>>>>>>>>>>>>> Subject: tomee git commit: TomEE header >>>>>>>>>>>>>>> To: [email protected] >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Repository: tomee >>>>>>>>>>>>>>> Updated Branches: >>>>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> TomEE header >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo >>>>>>>>>>>>>>> Commit: >>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8 >>>>>>>>>>>>>>> Tree: >>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8 >>>>>>>>>>>>>>> Diff: >>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Branch: refs/heads/master >>>>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808 >>>>>>>>>>>>>>> Parents: 2c4047e >>>>>>>>>>>>>>> Author: [email protected] <[email protected]> >>>>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200 >>>>>>>>>>>>>>> Committer: [email protected] <[email protected]> >>>>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>>>> | 2 >>>>>>>>>>>>>>> +- >>>>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | >>>>>>>>>>>>>>> 17 >>>>>>>>>>>>>>> +++++++++++++++++ >>>>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>>>>>> diff --git >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>>>> index 70fcf6f..17731b9 100644 >>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>>>> +++ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT { >>>>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" + >>>>>>>>>>>>>>> " <Listener >>>>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" >>>>>>>>>>>>>>> + >>>>>>>>>>>>>>> " <Service name=\"Catalina\">\n" + >>>>>>>>>>>>>>> - " <Connector port=\"" + http + "\" >>>>>>>>>>>>>>> protocol=\"HTTP/1.1\" >>>>>>>>>>>>>>> />\n" + >>>>>>>>>>>>>>> + " <Connector port=\"" + http + "\" >>>>>>>>>>>>>>> protocol=\"HTTP/1.1\" >>>>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" + >>>>>>>>>>>>>>> " <Engine name=\"Catalina\" >>>>>>>>>>>>>>> defaultHost=\"localhost\">\n" + >>>>>>>>>>>>>>> " <Host name=\"localhost\" >>>>>>>>>>>>>>> appBase=\"webapps\"\n" >>>>>>>>>>>>>>> + >>>>>>>>>>>>>>> " unpackWARs=\"true\" >>>>>>>>>>>>>>> autoDeploy=\"true\">\n" + >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>>>>>> diff --git >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>>>> index 0308c3d..60bd8f7 100644 >>>>>>>>>>>>>>> --- >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>>>> +++ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements >>>>>>>>>>>>>>> InstallerInterface { >>>>>>>>>>>>>>> alerts.addError("Error while adding >>>>>>>>>>>>>>> listener to >>>>>>>>>>>>>>> server.xml >>>>>>>>>>>>>>> file", e); >>>>>>>>>>>>>>> } >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> + //Add TomEE header >>>>>>>>>>>>>>> + try { >>>>>>>>>>>>>>> + newServerXml = >>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal, >>>>>>>>>>>>>>> + "<Connector port=\"8080\"", >>>>>>>>>>>>>>> + "<Connector port=\"8080\"", >>>>>>>>>>>>>>> + "/>", >>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache >>>>>>>>>>>>>>> TomEE\" >>>>>>>>>>>>>>> />"); >>>>>>>>>>>>>>> + >>>>>>>>>>>>>>> + newServerXml = >>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal, >>>>>>>>>>>>>>> + "<Connector port=\"8443\"", >>>>>>>>>>>>>>> + "<Connector port=\"8443\"", >>>>>>>>>>>>>>> + "/>", >>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache >>>>>>>>>>>>>>> TomEE\" >>>>>>>>>>>>>>> />"); >>>>>>>>>>>>>>> + } catch (final IOException e) { >>>>>>>>>>>>>>> + alerts.addError("Error adding server attribute >>>>>>>>>>>>>>> to >>>>>>>>>>>>>>> server.xml >>>>>>>>>>>>>>> file", e); >>>>>>>>>>>>>>> + } >>>>>>>>>>>>>>> + >>>>>>>>>>>>>>> // overwrite server.xml >>>>>>>>>>>>>>> if >>>>>>>>>>>>>>> (Installers.writeAll(paths.getServerXmlFile(), >>>>>>>>>>>>>>> newServerXml, >>>>>>>>>>>>>>> alerts)) { >>>>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to >>>>>>>>>>>>>>> server.xml"); >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Andy Gumbrecht >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> https://twitter.com/AndyGeeDe >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> >>>>>>>>>>>>> Andy Gumbrecht >>>>>>>>>>>>> >>>>>>>>>>>>> https://twitter.com/AndyGeeDe >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> Andy Gumbrecht >>>>>>>>>>> >>>>>>>>>> https://twitter.com/AndyGeeDe >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> Andy Gumbrecht >>>>>>>> >>>>>>> https://twitter.com/AndyGeeDe >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>> Andy Gumbrecht >>>>> https://twitter.com/AndyGeeDe >>>>> >>>>> >>>>> >>>>> -- >>> Andy Gumbrecht >>> https://twitter.com/AndyGeeDe >>> >>> >>> > -- > Andy Gumbrecht > https://twitter.com/AndyGeeDe > >
