We are getting dinged by a vulnerability scan for the default not-found error page being returned by Tomcat for a Status 404.
On my dev server when requesting an invalid URL, Tomcat returns a Status 404 page that displays the Tomcat version. Right, I need to do something about that. However, I can't find where the error-page for 404 is defined. It's not defined in: - webapps/ROOT/WEB-INF/web.xml - conf/web.xml - conf/server.xml - conf/context.xml Also, I can't find a notFound or error page either. How do I get rid of or override the default error / 404 / not-found page if I can't find it or where it is currently defined? Also, how is Tomcat returning the default 404 error page if it does not exist? I hope it's not hardcoded in a servlet response. FYI, we're going to remove the ROOT, docs, and examples folders to mitigate other scan findings. And we're using Tomcat 6.0.37 (ahem). -- Cris Berneburg CACI Lead Software Engineer
