Re: Got a customer who's paranoid about Manager

2023-02-23 Thread James H. H. Lampert
On 2/23/23 9:17 AM, Mark Thomas wrote: You need to remove the error page entry for 404 errors from WEB-INF/web.xml rather than / as well as renaming / removing 404.jsp Delete (or comment out) these lines:       404     /WEB-INF/jsp/404.jsp   Thanks. I really wish certain other

Re: Got a customer who's paranoid about Manager

2023-02-23 Thread Mark Thomas
On 23/02/2023 16:49, James H. H. Lampert wrote: On 2/22/23 9:23 AM, Mark Thomas wrote: Alternatively, you can use denyStatus="404" on the RemoteAddrValve. That attribute should be available in all versions of all currently supported Tomcat releases (it was added back in 2011). You can set it

Re: Got a customer who's paranoid about Manager

2023-02-23 Thread James H. H. Lampert
On 2/22/23 9:23 AM, Mark Thomas wrote: Alternatively, you can use denyStatus="404" on the RemoteAddrValve. That attribute should be available in all versions of all currently supported Tomcat releases (it was added back in 2011). You can set it to any value valid for use with

Re: Got a customer who's paranoid about Manager

2023-02-22 Thread Alex O'Ree
is removing the manager war an option for you? i don't think it's required for operation. you could also rename it so that it's in a different url path than the default On Wed, Feb 22, 2023 at 12:58 PM Mark Thomas wrote: > On 22/02/2023 17:49, James H. H. Lampert wrote: > > On 2/22/23 9:23 AM,

Re: Got a customer who's paranoid about Manager

2023-02-22 Thread Mark Thomas
On 22/02/2023 17:49, James H. H. Lampert wrote: On 2/22/23 9:23 AM, Mark Thomas wrote: Fire them and hire a security consultant with a proper understanding of risk? Pardon my Yiddish, but "Fun dayn moyl in Gots oyern." (From your mouth to God's ears. Such a colorful language.) But just

Re: Got a customer who's paranoid about Manager

2023-02-22 Thread James H. H. Lampert
On 2/22/23 9:23 AM, Mark Thomas wrote: Fire them and hire a security consultant with a proper understanding of risk? Pardon my Yiddish, but "Fun dayn moyl in Gots oyern." (From your mouth to God's ears. Such a colorful language.) But just because you're paranoid doesn't mean they're not out

Re: Got a customer who's paranoid about Manager

2023-02-22 Thread Mark Thomas
On 22/02/2023 17:10, James H. H. Lampert wrote: We've got a customer -- the same one that was our first test of a working RemoteAddrValve -- whose security consultant is complaining that a potential intruder can confirm the *existence* of the manager context (because it returns a 403, as

Got a customer who's paranoid about Manager

2023-02-22 Thread James H. H. Lampert
We've got a customer -- the same one that was our first test of a working RemoteAddrValve -- whose security consultant is complaining that a potential intruder can confirm the *existence* of the manager context (because it returns a 403, as opposed to, say, a 404). Any ideas? -- JHHL