On 16/12/2019 12:25, M. Manna wrote:
I would like to systematically hide a request header to web applications
hosted by Tomcat.
"Blanking" or "Unsetting" a header is not the same as "Hiding". By
hiding, you are essentially asking for the Header to be available under
certain elevated privilege or conditions. Unless, you meant Unsetting the
value or removing the header (not "Hiding")?
Hello M. Manna.
I meant Unsetting.
[... snip]
- Is there any way to apply a similar configuration (no development [2])
to Apache Tomcat when there is no front server ?
I could not find any built-in valve/filter that would allow such
filtering. I don't think there is any, but I wanted to make sure I had
not missed something.
Not to my knowledge. But I don't see why you cannot implement your own
Valve. Of course, any suggestion is welcome unless someone else has any
other suggestions?
"I don't see why you cannot implement you own" : Because as stated in my
original post, I am explicitely looking for a solution which does not
requires any developpement.
Thank you for your answer though.
[...]
[2] I know it is possible to develop a quite simple custom ServletFilter
to wrap the request with a custom HttpServletRequest wrapper, but I'm
looking for a zero development possibility. For those of your reading
this discussion later and looking for a development solution, you can
find inspiration in the following github repo that you can adapt to
handle removal
https://github.com/lonelyplanet/tomcat-request-header-filter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
