On 2/23/23 9:17 AM, Mark Thomas wrote:
You need to remove the error page entry for 404 errors from
WEB-INF/web.xml rather than / as well as renaming / removing 404.jsp
Delete (or comment out) these lines:
404
/WEB-INF/jsp/404.jsp
Thanks. I really wish certain other
On 23/02/2023 16:49, James H. H. Lampert wrote:
On 2/22/23 9:23 AM, Mark Thomas wrote:
Alternatively, you can use denyStatus="404" on the RemoteAddrValve.
That attribute should be available in all versions of all currently
supported Tomcat releases (it was added back in 2011). You can set it
On 2/22/23 9:23 AM, Mark Thomas wrote:
Alternatively, you can use denyStatus="404" on the RemoteAddrValve. That
attribute should be available in all versions of all currently supported
Tomcat releases (it was added back in 2011). You can set it to any value
valid for use with
is removing the manager war an option for you? i don't think it's required
for operation. you could also rename it so that it's in a different url
path than the default
On Wed, Feb 22, 2023 at 12:58 PM Mark Thomas wrote:
> On 22/02/2023 17:49, James H. H. Lampert wrote:
> > On 2/22/23 9:23 AM,
On 22/02/2023 17:49, James H. H. Lampert wrote:
On 2/22/23 9:23 AM, Mark Thomas wrote:
Fire them and hire a security consultant with a proper understanding
of risk?
Pardon my Yiddish, but "Fun dayn moyl in Gots oyern." (From your mouth
to God's ears. Such a colorful language.)
But just
On 2/22/23 9:23 AM, Mark Thomas wrote:
Fire them and hire a security consultant with a proper understanding of
risk?
Pardon my Yiddish, but "Fun dayn moyl in Gots oyern." (From your mouth
to God's ears. Such a colorful language.)
But just because you're paranoid doesn't mean they're not out
On 22/02/2023 17:10, James H. H. Lampert wrote:
We've got a customer -- the same one that was our first test of a
working RemoteAddrValve -- whose security consultant is complaining that
a potential intruder can confirm the *existence* of the manager context
(because it returns a 403, as
We've got a customer -- the same one that was our first test of a
working RemoteAddrValve -- whose security consultant is complaining that
a potential intruder can confirm the *existence* of the manager context
(because it returns a 403, as opposed to, say, a 404).
Any ideas?
--
JHHL