You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jason Pyeron <ja...@pyeron.com> on 2002/12/31 21:56:09 UTC
securing tomcat...
has any one put together a faq/howto on securing tomcat?
our first goal is to prevent determination of the server version by a web
client.
an example of this is for url http://127.1:8080/xxdfsdf this is returned, note the Server:
Apache Coyote/1.0 and Apache Tomcat/4.1.12
HTTP/1.1 404 /xxdfsdf
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Transfer-Encoding: chunked
Date: Tue, 31 Dec 2002 20:46:09 GMT
Server: Apache Coyote/1.0
<html><head><title>Apache Tomcat/4.1.12 - Error
report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color
: white;background-color : #0086b2;} H3{font-family :
sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;}
BODY{font-family : sans-serif,Arial,Tahoma;color : black;background-color
: white;} B{color : white;background-color :
#0086b2;} HR{color : #0086b2;} --></STYLE> </head><body><h1>HTTP Status
404 - /xxdfsdf</h1><HR size="1" noshade><p><b>ty
pe</b> Status report</p><p><b>message</b>
<u>/xxdfsdf</u></p><p><b>description</b> <u>The requested resource
(/xxdfsdf)
is not available.</u></p><HR size="1" noshade><h3>Apache
Tomcat/4.1.12</h3></body></html>
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron http://www.pyerotechnics.com -
- Owner & Lead Pyerotechnics Development, Inc. -
- +1 410 808 6646 (c) 500 West University Parkway #1S -
- +1 410 467 2266 (f) Baltimore, Maryland 21210-3253 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately. Any other use of the email by you
is prohibited.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: securing tomcat...
Posted by Gary Gwin <to...@cafesoft.com>.
Jason,
If by securing you mean hardening, well then no. But we have posted a
white paper on Tomcat security according to the servlet specification:
http://www.cafesoft.com/products/cams/tomcat-security.html
Gary
Jason Pyeron wrote:
>has any one put together a faq/howto on securing tomcat?
>
>our first goal is to prevent determination of the server version by a web
>client.
>
>an example of this is for url http://127.1:8080/xxdfsdf this is returned, note the Server:
>Apache Coyote/1.0 and Apache Tomcat/4.1.12
>
>HTTP/1.1 404 /xxdfsdf
>Content-Type: text/html;charset=ISO-8859-1
>Content-Language: en-US
>Transfer-Encoding: chunked
>Date: Tue, 31 Dec 2002 20:46:09 GMT
>Server: Apache Coyote/1.0
>
><html><head><title>Apache Tomcat/4.1.12 - Error
>report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color
>: white;background-color : #0086b2;} H3{font-family :
>sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;}
> BODY{font-family : sans-serif,Arial,Tahoma;color : black;background-color
>: white;} B{color : white;background-color :
>#0086b2;} HR{color : #0086b2;} --></STYLE> </head><body><h1>HTTP Status
>404 - /xxdfsdf</h1><HR size="1" noshade><p><b>ty
>pe</b> Status report</p><p><b>message</b>
><u>/xxdfsdf</u></p><p><b>description</b> <u>The requested resource
>(/xxdfsdf)
>is not available.</u></p><HR size="1" noshade><h3>Apache
>Tomcat/4.1.12</h3></body></html>
>
>
>
--
Gary Gwin
http://www.cafesoft.com
*****************************************************************
* *
* The Cafesoft Access Management System, Cams, is security *
* software that provides single sign-on authentication and *
* centralized access control for Apache, Tomcat, and custom *
* resources. *
* *
*****************************************************************
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: securing tomcat...
Posted by Ken Anderson <ka...@pacific.net>.
Just put this in your web.xml for root webapp or others...
<error-page>
<error-code>404</error-code>
<location>/404error.html</location>
</error-page>
and create 404error.html to say whatever you like.
Ken
Jason Pyeron wrote:
> has any one put together a faq/howto on securing tomcat?
>
> our first goal is to prevent determination of the server version by a web
> client.
>
> an example of this is for url http://127.1:8080/xxdfsdf this is returned, note the Server:
> Apache Coyote/1.0 and Apache Tomcat/4.1.12
>
> HTTP/1.1 404 /xxdfsdf
> Content-Type: text/html;charset=ISO-8859-1
> Content-Language: en-US
> Transfer-Encoding: chunked
> Date: Tue, 31 Dec 2002 20:46:09 GMT
> Server: Apache Coyote/1.0
>
> <html><head><title>Apache Tomcat/4.1.12 - Error
> report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color
> : white;background-color : #0086b2;} H3{font-family :
> sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;}
> BODY{font-family : sans-serif,Arial,Tahoma;color : black;background-color
> : white;} B{color : white;background-color :
> #0086b2;} HR{color : #0086b2;} --></STYLE> </head><body><h1>HTTP Status
> 404 - /xxdfsdf</h1><HR size="1" noshade><p><b>ty
> pe</b> Status report</p><p><b>message</b>
> <u>/xxdfsdf</u></p><p><b>description</b> <u>The requested resource
> (/xxdfsdf)
> is not available.</u></p><HR size="1" noshade><h3>Apache
> Tomcat/4.1.12</h3></body></html>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>