They can still run the Fuseki command at their terminal with the --version flag e.g.
$ fuseki-server --version Jena: VERSION: 3.0.1 Jena: BUILD_DATE: 2015-12-08T09:24:07+0000 ARQ: VERSION: 3.0.1 ARQ: BUILD_DATE: 2015-12-08T09:24:07+0000 RIOT: VERSION: 3.0.1 RIOT: BUILD_DATE: 2015-12-08T09:24:07+0000 TDB: VERSION: 3.0.1 TDB: BUILD_DATE: 2015-12-08T09:24:07+0000 Fuseki: VERSION: 2.3.1 Fuseki: BUILD_DATE: 2015-12-08T09:24:07+0000 Which simply prints the versions of the various components and exits Rob On 31/01/2016 17:05, "A. Soroka" <[email protected]> wrote: >Just for the record, Andy, do we now have a standard way of determining a >running version for when it is necessary to answer a question? > >I’m thinking here of folks who may have “inherited” a deployed Fuseki >install and who then run into questions or troubles (it could happen to >anyone {grin}), and what we can tell them to do if we need to know the >version to help them. Maybe there is a good place to check in the config >directory? Or would we have to go inside the WEB-INF/lib jars and look at >metadata there? > >--- >A. Soroka >The University of Virginia Library > >> On Jan 31, 2016, at 11:57 AM, Andy Seaborne <[email protected]> wrote: >> >> https://issues.apache.org/jira/browse/JENA-1125 >> >> Output of version should only be in developer mode now. >> "developer mode" means anything that is not a formal release, i.e. with >>a version number without SNAPSHOT. >> >> Andy >> >> On 28/01/16 21:03, Andy Seaborne wrote: >>> If you want to lock down a java-based webapp server, jetty, tomcat, >>> fuseki whatever, then another starting point is to put it behind a >>> reverse proxy (httpd, nginx etc), slave the java server to only receive >>> request from localhost i.e. the reverse proxy. >>> >>> httpd, nginx have a much greater range of facilities to defend the >>>service. >>> >>> On 28/01/16 11:36, Massimiliano Ricci wrote: >>>> Dear All, >>>> for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a >>>> standalone server. >>>> Unfortunatelly we've encountered an anomaly of "Information Exposure" >>>> (CWE-200 - http://cwe.mitre.org/data/definitions/200.html), in >>>>particular >>>> the Fuseki and JETTY versions are showed. For example, if I submit an >>>> incorrect query, it's shown: >>>> >>>> Error 400: ... >>>> Fuseki - version 2.3.1 .... >>>> >>>> And in response header: >>>> >>>> HTTP/1.1 200 OK >>>> Date: Thu, 28 Jan 2016 10:20:34 GMT >>>> Cache-Control: must-revalidate,no-cache,no-store >>>> Pragma: no-cache >>>> Content-Type: text/plain;charset=utf-8 >>>> Content-Length: 31 >>>> Server: Jetty(9.3.z-SNAPSHOT) >>>> >>> >>> CWE-200 is about private or useful information to an attacker. >>> >>> Counting version numbers as sensitive or attack information is >>>debatable >>> IMO. At most, it is minor - it's all in the POM files and source code >>> for open source - and attacking an unknown version is a matter of >>> running an attack on all possible versions in parallel. >>> >>> Even the Apache webserver at www.apache.org puts in the version: >>> >>> Server: Apache/2.4.7 (Ubuntu) >>> >>> >>> Why it says "9.3.z-SNAPSHOT" I don't know - this is a known Jetty issue >>> - the version of Jetty is not a snapshot and it was pulled from maven >>> central. Weirdly, current development, same Jetty, prints >>>9.3.3.v20150827. >>> >>> The Apache Jena release process will not proceed if a SNAPSHOT is >>>found, >>> not that maven central has snapshots at all. >>> >>>> In order to don't show the Jetty version I've modified the >>>> >>>>"jena-3.0.1-source-release\jena-3.0.1\jena-fuseki2\examples\fuseki-jett >>>>y-https.xml": >>>> >>>> >>>> <?xml version="1.0"?> >>>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" " >>>> http://www.eclipse.org/jetty/configure_9_3.dtd";> >>>> >>>> <Configure id="Server" class="org.eclipse.jetty.server.Server"> >>>> <New id="httpConfig" >>>> class="org.eclipse.jetty.server.HttpConfiguration"> >>>> <Set name="sendServerVersion"><Property >>>> name="jetty.httpConfig.sendServerVersion" >>>> deprecated="jetty.send.server.version" default="false" /></Set> >>>> </New> >>>> </Configure> >>> >>>> >>>> but running fuseki: >>>>>> java -Xmx16384M -jar fuseki-server.jar >>>>>>--jetty-config=fuseki-jetty.xml >>>> --port=8080 --loc=/mytdb /myDataSet >>>> the following exception was raised: >>>> 10:36:11 INFO Server :: Jetty server config file = >>>> /space/weblogic/apache-jena-fuseki-2.3.1/fuseki-jetty.xml >>>> 10:36:11 ERROR Server :: SPARQLServer: Failed to >>>>configure >>>> server: 0 >>>> java.lang.ArrayIndexOutOfBoundsException: 0 >>> >>> That means the jetty configuration file has not defined a connector. >>> >>> If that was the whole file fuseki-jetty.xml then it's incomplete. The >>> connector is created by <Call name="addConnector"> in the example. >>> >>> There are examples at: >>> >>> >>>http://www.eclipse.org/jetty/documentation/current/configuring-connector >>>s.html#jetty-connectors >>> >>> >>> I used fuseki-jetty-https.xml with only the setting for >>> name="sendServerVersion" changed and it worked (no Server line for >>>Jetty) >>> >>>> at >>>> >>>>org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java: >>>>266) >>>> >>>> at >>>> >>>>org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki. >>>>java:222) >>>> >>>> at >>>> org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91) >>>> at >>>> >>>>org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.j >>>>ava:86) >>>> >>>> at >>>> >>>>org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java >>>>:358) >>>> >>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93) >>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58) >>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45) >>>> at >>>> >>>>org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd >>>>.java:95) >>>> >>>> at >>>>org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:60) >>>> I think because Fuseki is using the wrong version Jetty >>>>(9.3.z-SNAPSHOT >>>> instead 9.3.3). >>> >>> Fuseki at the 2.3.1 release is running with 9.3.3.v20150827 >>> >>> See >>> https://github.com/apache/jena/blob/jena-3.0.1/jena-fuseki2/pom.xml >>> >>>> >>>> For Fuseki version I didn't find any solution. >>>> >>>> Could anyone suggest us how to figure out this issue? >>>> There are proprerties to set to avoid it? >>>> Do I have to open an issue on JIRA? >>>> >>>> Thanks, >>>> Max >>>> >>> >>> Andy >>> >> >
