Hi Sergey, I've tested the setup you mentioned, cxf-jetty for the sendServerVersion parameter. It is working as expected, thus I believe for my case that runs on Karaf, I think the parameter needs to be made available on pax-web module.
But after reading through a bit here and there, I realized the Server header is actually a standard that is expected from an HTTP service. Thus, I've decided to let it be. My initial intention to hide the Server header was to obfuscate what Server I am using for potential attackers. I don't know how much it would deter attackers. It might not be a good strategy, but not sure what else I can sort of improve on security wise. Regards, Allan C. On Mon, Jul 18, 2016 at 6:14 PM, Allan C. <allan...@gmail.com> wrote: > Noted. Will get you posted. > > Regards, > Allan C. > > On Mon, Jul 18, 2016 at 5:21 PM, Sergey Beryozkin <sberyoz...@gmail.com> > wrote: > >> Hi >> >> It is confusing indeed. Perhaps, in Karaf, it is only jetty.xml that can >> be used to turn off sending Server headers, or may be jetty.xml default >> values override whatever is set in httpj. >> Please experiment if you get a chance with a standalone CXF Jetty >> endpoint outside of Karaf to see if httpj sendServerVersion can be made >> effective. >> >> Cheers, Sergey >> >> >> On 18/07/16 11:56, Allan C. wrote: >> >>> I see. I am using an absolute HTTP address. >>> >>> I am confused because if it is an SSL 443 port, the >>> "httpj:tlsServerParameters" configuration seems to be working so I >>> thought >>> it is using the httpj configuration. >>> >>> Regards, >>> Allan C. >>> >>> On Mon, Jul 18, 2016 at 3:58 PM, Sergey Beryozkin <sberyoz...@gmail.com> >>> wrote: >>> >>> Hi >>>> >>>> AFAIK the below configuration is only applicable if you use an absolute >>>> HTTP address in which case an embedded/standalone Jetty instance is >>>> created, if you use a relative address then it is a servlet bound to >>>> Jetty-powered HTTP service and hence jetty.xml is effective >>>> >>>> Cheers, Sergey >>>> On 18/07/16 10:39, Allan C. wrote: >>>> >>>> Hi Sergey, >>>>> >>>>> I did another test running just jetty9 (configured using jetty.xml) and >>>>> fiddled with both sendServerVersion and sendDateHeader parameters. It >>>>> seems >>>>> to be working as expected. >>>>> >>>>> When I use CXF JAXRS server, the parameter seems to be ignored. Here >>>>> is my >>>>> CXF jetty configuration part. >>>>> <httpj:engine-factory id="httpjEngine"> >>>>> <httpj:engine port="80" sendServerVersion="false"> >>>>> <httpj:threadingParameters minThreads="8" maxThreads="16" /> >>>>> </httpj:engine> >>>>> </httpj:engine-factory> >>>>> >>>>> Could you maybe give me a hint on which class/jar I should most >>>>> probably >>>>> look into in more detail? >>>>> >>>>> JettyHTTPServerEngineConfigType in cxf-rt-transports-http-jetty, but >>>> as I >>>> said it is probably not used >>>> >>>> >>>> Cheers, Sergey >>>> >>>> >>>>> Regards, >>>>> Allan C. >>>>> >>>>> On Mon, Jul 18, 2016 at 3:00 PM, Allan C. <allan...@gmail.com> wrote: >>>>> >>>>> Noted. Thanks for the info! >>>>> >>>>>> >>>>>> Regards, >>>>>> Allan C. >>>>>> >>>>>> On Mon, Jul 18, 2016 at 2:35 PM, Sergey Beryozkin < >>>>>> sberyoz...@gmail.com> >>>>>> wrote: >>>>>> >>>>>> Hi >>>>>> >>>>>>> On 18/07/16 05:58, Allan C. wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>>> >>>>>>>> I have a jax-rs server configured up and running in a blueprint >>>>>>>> container. >>>>>>>> All good except a couple of minor tweaks left. >>>>>>>> >>>>>>>> When I test the service, the HTTP headers "Date" appears twice. For >>>>>>>> instance: >>>>>>>> >>>>>>>> HTTP/1.1 401 Unauthorized >>>>>>>> Date: Mon, 18 Jul 2016 02:50:09 GMT >>>>>>>> Date: Mon, 18 Jul 2016 02:50:09 GMT >>>>>>>> >>>>>>>> >>>>>>>> As it happens I've been looking into this issue last week. It only >>>>>>> happens on Jetty (not on Tomcat) - with Jetty ignoring the fact the >>>>>>> higher-level application sets Date (JAX-RS runtime must set Date) and >>>>>>> setting its own Date. >>>>>>> >>>>>>> However, CXF uses HttpServletResponse.addHeader(). This is usually >>>>>>> needed >>>>>>> when a header has multiple values but otherwise >>>>>>> HttpServletResponse.setHeader() is fine - making this minor update >>>>>>> fixed a >>>>>>> duplicate Date header issue on Jetty, CXF 3.1.7 will have it all >>>>>>> sorted. >>>>>>> >>>>>>> Content-Length: 0 >>>>>>> >>>>>>> Server: Jetty(9.2.15.v20160210) >>>>>>>> >>>>>>>> Another is although I've set "sendServerVersion="false", it still >>>>>>>> returns >>>>>>>> the "Server" header. Any ideas what I've missed? Appreciate your >>>>>>>> response. >>>>>>>> >>>>>>>> Not sure, but it is entirely a Jetty configuration issue >>>>>>>> >>>>>>>> >>>>>>> Cheers, Sergey >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>>> Allan C. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> -- >>>> Sergey Beryozkin >>>> >>>> Talend Community Coders >>>> http://coders.talend.com/ >>>> >>>> >>> >> >> -- >> Sergey Beryozkin >> >> Talend Community Coders >> http://coders.talend.com/ >> > >
