You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by an...@apache.org on 2015/05/07 22:03:52 UTC
tomee git commit: TomEE header
Repository: tomee
Updated Branches:
refs/heads/master 2c4047e14 -> 268b57c86
TomEE header
Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
Branch: refs/heads/master
Commit: 268b57c868c055e3788b85d6ed6a192da094e808
Parents: 2c4047e
Author: andygumbrecht@apache.org <an...@gmx.de>
Authored: Thu May 7 22:03:35 2015 +0200
Committer: andygumbrecht@apache.org <an...@gmx.de>
Committed: Thu May 7 22:03:35 2015 +0200
----------------------------------------------------------------------
.../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
.../java/org/apache/tomee/installer/Installer.java | 17 +++++++++++++++++
2 files changed, 18 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
----------------------------------------------------------------------
diff --git a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
index 70fcf6f..17731b9 100644
--- a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
+++ b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
@@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
" <!-- TomEE plugin for Tomcat -->\n" +
" <Listener className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
" <Service name=\"Catalina\">\n" +
- " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\" />\n" +
+ " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\" xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
" <Engine name=\"Catalina\" defaultHost=\"localhost\">\n" +
" <Host name=\"localhost\" appBase=\"webapps\"\n" +
" unpackWARs=\"true\" autoDeploy=\"true\">\n" +
http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
----------------------------------------------------------------------
diff --git a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
index 0308c3d..60bd8f7 100644
--- a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
+++ b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
@@ -448,6 +448,23 @@ public class Installer implements InstallerInterface {
alerts.addError("Error while adding listener to server.xml file", e);
}
+ //Add TomEE header
+ try {
+ newServerXml = Installers.replace(serverXmlOriginal,
+ "<Connector port=\"8080\"",
+ "<Connector port=\"8080\"",
+ "/>",
+ "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
+
+ newServerXml = Installers.replace(serverXmlOriginal,
+ "<Connector port=\"8443\"",
+ "<Connector port=\"8443\"",
+ "/>",
+ "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
+ } catch (final IOException e) {
+ alerts.addError("Error adding server attribute to server.xml file", e);
+ }
+
// overwrite server.xml
if (Installers.writeAll(paths.getServerXmlFile(), newServerXml, alerts)) {
alerts.addInfo("Add OpenEJB listener to server.xml");
Re: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
To be more complete on security we added MinimumErrorReportValve (
https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/valve/MinimumErrorReportValve.java;h=7e772b4ab3f12476abe432458e59f0f3d34dc081;hb=da4ef5872953dd0f29e1147d3cd7f7d14a73ca0a
) to replace the default tomcat error valve by configuration to even force
to hide the tomcat info on error page when they are not configured.
@Andy: you didnt deactivated all headers by default since server and
xpoweredBy are 2 different things. I'd just completely revert it keeping
conf 1-1 with tomcat. Will not be activated anyway by guys in prod IMO.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-07 23:35 GMT+02:00 Andy <an...@gmx.de>:
> Well that info was not, and has never been, available to a client via that
> header and I'm not sure it's a good idea to ever expose actual server
> versions anyway.
> As Romain stated, the server info is also available. I added/exposed the
> xpoweredBy attribute (which is still always off by default anyway), just so
> you can see it is there and switch it on if you like.
>
> This 'server' header was recently used to determine what servers are out
> and about by a statistics provider, so I have just changed the default
> 'Apache Tomcat 7.0.x' to 'Apache TomEE'. The version here is just not
> important.
> You should never use it for anything other than statistics. Many servers
> pretend to be something else or turn it off anyway (to deter hacks).
>
> If you actually want to turn it off then setting it to an empty or
> arbitrary string will hide it altogether.
>
> If you need provide server details to clients then best do it over an
> authenticated end-point.
>
> Andy.
>
>
> On 07/05/2015 23:17, Jay McHugh wrote:
>
>> Or maybe at least an indication of which JavaEE version it supports?
>>
>> On Thu, May 7, 2015 at 4:15 PM Jay McHugh <ja...@gmail.com> wrote:
>>
>> Shouldn't the header include a version number then (at least a major
>>> version) so that it can be differentiated between TomEE 1.5.x, 1.6.x,
>>> 1.7.x, etc?
>>>
>>> It is a little bit more to remember to change but I think that it would
>>> be
>>> at least as valuable as the change from Tomcat to TomEE.
>>>
>>> No?
>>>
>>> On Thu, May 7, 2015 at 4:11 PM Andy <an...@gmx.de> wrote:
>>>
>>> Some crawlers are using that header as the evaluation. Default is Apache
>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give
>>>> us better standing.
>>>>
>>>> Andy.
>>>>
>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>
>>>>> PS (sorry hit enter without wishing it): asking cause I wouldn't have
>>>>>
>>>> it on
>>>>
>>>>> by default as a user
>>>>>
>>>>>
>>>>> Romain Manni-Bucau
>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>
>>>> https://github.com/rmannibucau> |
>>>>
>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>> <http://www.tomitribe.com>
>>>>>
>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
>>>>>
>>>>> Hi
>>>>>>
>>>>>> What's the goal? We already switch server info,isnt it enough?
>>>>>>
>>>>>> Romain Manni-Bucau
>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>> <http://www.tomitribe.com>
>>>>>>
>>>>>> ---------- Forwarded message ----------
>>>>>> From: <an...@apache.org>
>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>> Subject: tomee git commit: TomEE header
>>>>>> To: commits@tomee.apache.org
>>>>>>
>>>>>>
>>>>>> Repository: tomee
>>>>>> Updated Branches:
>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>
>>>>>>
>>>>>> TomEE header
>>>>>>
>>>>>>
>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>
>>>>>> Branch: refs/heads/master
>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>> Parents: 2c4047e
>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>
>>>>>> ----------------------------------------------------------------------
>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>>>
>>>>> +++++++++++++++++
>>>>
>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>> ----------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>
>>>>> ----------------------------------------------------------------------
>>>>>> diff --git
>>>>>>
>>>>>>
>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>
>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>
>>>>> index 70fcf6f..17731b9 100644
>>>>>> ---
>>>>>>
>>>>>>
>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>
>>>>> +++
>>>>>>
>>>>>>
>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>
>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>> " <Listener
>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>
>>>>> protocol=\"HTTP/1.1\"
>>>>
>>>>> />\n" +
>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>
>>>>> protocol=\"HTTP/1.1\"
>>>>
>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>> " <Engine name=\"Catalina\"
>>>>>>
>>>>> defaultHost=\"localhost\">\n" +
>>>>
>>>>> " <Host name=\"localhost\" appBase=\"webapps\"\n"
>>>>>> +
>>>>>> " unpackWARs=\"true\"
>>>>>> autoDeploy=\"true\">\n"
>>>>>>
>>>>> +
>>>>
>>>>>
>>>>>>
>>>>>>
>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>
>>>>> ----------------------------------------------------------------------
>>>>>> diff --git
>>>>>>
>>>>>>
>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>
>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>
>>>>> index 0308c3d..60bd8f7 100644
>>>>>> ---
>>>>>>
>>>>>>
>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>
>>>>> +++
>>>>>>
>>>>>>
>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>
>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>
>>>>> InstallerInterface {
>>>>
>>>>> alerts.addError("Error while adding listener to
>>>>>>
>>>>> server.xml
>>>>
>>>>> file", e);
>>>>>> }
>>>>>>
>>>>>> + //Add TomEE header
>>>>>> + try {
>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>> + "<Connector port=\"8080\"",
>>>>>> + "<Connector port=\"8080\"",
>>>>>> + "/>",
>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>>>
>>>>> />");
>>>>
>>>>> +
>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>> + "<Connector port=\"8443\"",
>>>>>> + "<Connector port=\"8443\"",
>>>>>> + "/>",
>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>>>
>>>>> />");
>>>>
>>>>> + } catch (final IOException e) {
>>>>>> + alerts.addError("Error adding server attribute to
>>>>>>
>>>>> server.xml
>>>>
>>>>> file", e);
>>>>>> + }
>>>>>> +
>>>>>> // overwrite server.xml
>>>>>> if (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>
>>>>> newServerXml,
>>>>
>>>>> alerts)) {
>>>>>> alerts.addInfo("Add OpenEJB listener to server.xml");
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>> Andy Gumbrecht
>>>> https://twitter.com/AndyGeeDe
>>>>
>>>>
>>>>
> --
> Andy Gumbrecht
> https://twitter.com/AndyGeeDe
>
>
Re: tomee git commit: TomEE header
Posted by Andy <an...@gmx.de>.
Well that info was not, and has never been, available to a client via
that header and I'm not sure it's a good idea to ever expose actual
server versions anyway.
As Romain stated, the server info is also available. I added/exposed the
xpoweredBy attribute (which is still always off by default anyway), just
so you can see it is there and switch it on if you like.
This 'server' header was recently used to determine what servers are out
and about by a statistics provider, so I have just changed the default
'Apache Tomcat 7.0.x' to 'Apache TomEE'. The version here is just not
important.
You should never use it for anything other than statistics. Many servers
pretend to be something else or turn it off anyway (to deter hacks).
If you actually want to turn it off then setting it to an empty or
arbitrary string will hide it altogether.
If you need provide server details to clients then best do it over an
authenticated end-point.
Andy.
On 07/05/2015 23:17, Jay McHugh wrote:
> Or maybe at least an indication of which JavaEE version it supports?
>
> On Thu, May 7, 2015 at 4:15 PM Jay McHugh <ja...@gmail.com> wrote:
>
>> Shouldn't the header include a version number then (at least a major
>> version) so that it can be differentiated between TomEE 1.5.x, 1.6.x,
>> 1.7.x, etc?
>>
>> It is a little bit more to remember to change but I think that it would be
>> at least as valuable as the change from Tomcat to TomEE.
>>
>> No?
>>
>> On Thu, May 7, 2015 at 4:11 PM Andy <an...@gmx.de> wrote:
>>
>>> Some crawlers are using that header as the evaluation. Default is Apache
>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give
>>> us better standing.
>>>
>>> Andy.
>>>
>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>> PS (sorry hit enter without wishing it): asking cause I wouldn't have
>>> it on
>>>> by default as a user
>>>>
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>> <http://rmannibucau.wordpress.com> | Github <
>>> https://github.com/rmannibucau> |
>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>> <http://www.tomitribe.com>
>>>>
>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
>>>>
>>>>> Hi
>>>>>
>>>>> What's the goal? We already switch server info,isnt it enough?
>>>>>
>>>>> Romain Manni-Bucau
>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>> <http://www.tomitribe.com>
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: <an...@apache.org>
>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>> Subject: tomee git commit: TomEE header
>>>>> To: commits@tomee.apache.org
>>>>>
>>>>>
>>>>> Repository: tomee
>>>>> Updated Branches:
>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>
>>>>>
>>>>> TomEE header
>>>>>
>>>>>
>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>
>>>>> Branch: refs/heads/master
>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>> Parents: 2c4047e
>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>> +++++++++++++++++
>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>
>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>> ----------------------------------------------------------------------
>>>>> diff --git
>>>>>
>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>> index 70fcf6f..17731b9 100644
>>>>> ---
>>>>>
>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>> +++
>>>>>
>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>> " <Listener
>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>> " <Service name=\"Catalina\">\n" +
>>>>> - " <Connector port=\"" + http + "\"
>>> protocol=\"HTTP/1.1\"
>>>>> />\n" +
>>>>> + " <Connector port=\"" + http + "\"
>>> protocol=\"HTTP/1.1\"
>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>> " <Engine name=\"Catalina\"
>>> defaultHost=\"localhost\">\n" +
>>>>> " <Host name=\"localhost\" appBase=\"webapps\"\n" +
>>>>> " unpackWARs=\"true\" autoDeploy=\"true\">\n"
>>> +
>>>>>
>>>>>
>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>> ----------------------------------------------------------------------
>>>>> diff --git
>>>>>
>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>> index 0308c3d..60bd8f7 100644
>>>>> ---
>>>>>
>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>> +++
>>>>>
>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>> InstallerInterface {
>>>>> alerts.addError("Error while adding listener to
>>> server.xml
>>>>> file", e);
>>>>> }
>>>>>
>>>>> + //Add TomEE header
>>>>> + try {
>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>> + "<Connector port=\"8080\"",
>>>>> + "<Connector port=\"8080\"",
>>>>> + "/>",
>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>> />");
>>>>> +
>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>> + "<Connector port=\"8443\"",
>>>>> + "<Connector port=\"8443\"",
>>>>> + "/>",
>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>> />");
>>>>> + } catch (final IOException e) {
>>>>> + alerts.addError("Error adding server attribute to
>>> server.xml
>>>>> file", e);
>>>>> + }
>>>>> +
>>>>> // overwrite server.xml
>>>>> if (Installers.writeAll(paths.getServerXmlFile(),
>>> newServerXml,
>>>>> alerts)) {
>>>>> alerts.addInfo("Add OpenEJB listener to server.xml");
>>>>>
>>>>>
>>>>>
>>> --
>>> Andy Gumbrecht
>>> https://twitter.com/AndyGeeDe
>>>
>>>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: tomee git commit: TomEE header
Posted by Jay McHugh <ja...@gmail.com>.
Or maybe at least an indication of which JavaEE version it supports?
On Thu, May 7, 2015 at 4:15 PM Jay McHugh <ja...@gmail.com> wrote:
> Shouldn't the header include a version number then (at least a major
> version) so that it can be differentiated between TomEE 1.5.x, 1.6.x,
> 1.7.x, etc?
>
> It is a little bit more to remember to change but I think that it would be
> at least as valuable as the change from Tomcat to TomEE.
>
> No?
>
> On Thu, May 7, 2015 at 4:11 PM Andy <an...@gmx.de> wrote:
>
>> Some crawlers are using that header as the evaluation. Default is Apache
>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give
>> us better standing.
>>
>> Andy.
>>
>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>> > PS (sorry hit enter without wishing it): asking cause I wouldn't have
>> it on
>> > by default as a user
>> >
>> >
>> > Romain Manni-Bucau
>> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> > <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> > <http://www.tomitribe.com>
>> >
>> > 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
>> >
>> >> Hi
>> >>
>> >> What's the goal? We already switch server info,isnt it enough?
>> >>
>> >> Romain Manni-Bucau
>> >> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> >> <http://rmannibucau.wordpress.com> | Github
>> >> <https://github.com/rmannibucau> | LinkedIn
>> >> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> >> <http://www.tomitribe.com>
>> >>
>> >> ---------- Forwarded message ----------
>> >> From: <an...@apache.org>
>> >> Date: 2015-05-07 22:03 GMT+02:00
>> >> Subject: tomee git commit: TomEE header
>> >> To: commits@tomee.apache.org
>> >>
>> >>
>> >> Repository: tomee
>> >> Updated Branches:
>> >> refs/heads/master 2c4047e14 -> 268b57c86
>> >>
>> >>
>> >> TomEE header
>> >>
>> >>
>> >> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>> >> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>> >> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>> >> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>> >>
>> >> Branch: refs/heads/master
>> >> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>> >> Parents: 2c4047e
>> >> Author: andygumbrecht@apache.org <an...@gmx.de>
>> >> Authored: Thu May 7 22:03:35 2015 +0200
>> >> Committer: andygumbrecht@apache.org <an...@gmx.de>
>> >> Committed: Thu May 7 22:03:35 2015 +0200
>> >>
>> >> ----------------------------------------------------------------------
>> >> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>> >> .../java/org/apache/tomee/installer/Installer.java | 17
>> +++++++++++++++++
>> >> 2 files changed, 18 insertions(+), 1 deletion(-)
>> >> ----------------------------------------------------------------------
>> >>
>> >>
>> >>
>> >>
>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>> >> ----------------------------------------------------------------------
>> >> diff --git
>> >>
>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>> >>
>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>> >> index 70fcf6f..17731b9 100644
>> >> ---
>> >>
>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>> >> +++
>> >>
>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>> >> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>> >> " <!-- TomEE plugin for Tomcat -->\n" +
>> >> " <Listener
>> >> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>> >> " <Service name=\"Catalina\">\n" +
>> >> - " <Connector port=\"" + http + "\"
>> protocol=\"HTTP/1.1\"
>> >> />\n" +
>> >> + " <Connector port=\"" + http + "\"
>> protocol=\"HTTP/1.1\"
>> >> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>> >> " <Engine name=\"Catalina\"
>> defaultHost=\"localhost\">\n" +
>> >> " <Host name=\"localhost\" appBase=\"webapps\"\n" +
>> >> " unpackWARs=\"true\" autoDeploy=\"true\">\n"
>> +
>> >>
>> >>
>> >>
>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>> >> ----------------------------------------------------------------------
>> >> diff --git
>> >>
>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>> >>
>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>> >> index 0308c3d..60bd8f7 100644
>> >> ---
>> >>
>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>> >> +++
>> >>
>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>> >> @@ -448,6 +448,23 @@ public class Installer implements
>> InstallerInterface {
>> >> alerts.addError("Error while adding listener to
>> server.xml
>> >> file", e);
>> >> }
>> >>
>> >> + //Add TomEE header
>> >> + try {
>> >> + newServerXml = Installers.replace(serverXmlOriginal,
>> >> + "<Connector port=\"8080\"",
>> >> + "<Connector port=\"8080\"",
>> >> + "/>",
>> >> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>> />");
>> >> +
>> >> + newServerXml = Installers.replace(serverXmlOriginal,
>> >> + "<Connector port=\"8443\"",
>> >> + "<Connector port=\"8443\"",
>> >> + "/>",
>> >> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>> />");
>> >> + } catch (final IOException e) {
>> >> + alerts.addError("Error adding server attribute to
>> server.xml
>> >> file", e);
>> >> + }
>> >> +
>> >> // overwrite server.xml
>> >> if (Installers.writeAll(paths.getServerXmlFile(),
>> newServerXml,
>> >> alerts)) {
>> >> alerts.addInfo("Add OpenEJB listener to server.xml");
>> >>
>> >>
>> >>
>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
Re: tomee git commit: TomEE header
Posted by Jay McHugh <ja...@gmail.com>.
Shouldn't the header include a version number then (at least a major
version) so that it can be differentiated between TomEE 1.5.x, 1.6.x,
1.7.x, etc?
It is a little bit more to remember to change but I think that it would be
at least as valuable as the change from Tomcat to TomEE.
No?
On Thu, May 7, 2015 at 4:11 PM Andy <an...@gmx.de> wrote:
> Some crawlers are using that header as the evaluation. Default is Apache
> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give
> us better standing.
>
> Andy.
>
> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
> > PS (sorry hit enter without wishing it): asking cause I wouldn't have it
> on
> > by default as a user
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com>
> >
> > 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
> >
> >> Hi
> >>
> >> What's the goal? We already switch server info,isnt it enough?
> >>
> >> Romain Manni-Bucau
> >> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >> <http://rmannibucau.wordpress.com> | Github
> >> <https://github.com/rmannibucau> | LinkedIn
> >> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> >> <http://www.tomitribe.com>
> >>
> >> ---------- Forwarded message ----------
> >> From: <an...@apache.org>
> >> Date: 2015-05-07 22:03 GMT+02:00
> >> Subject: tomee git commit: TomEE header
> >> To: commits@tomee.apache.org
> >>
> >>
> >> Repository: tomee
> >> Updated Branches:
> >> refs/heads/master 2c4047e14 -> 268b57c86
> >>
> >>
> >> TomEE header
> >>
> >>
> >> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
> >> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
> >> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
> >> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
> >>
> >> Branch: refs/heads/master
> >> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
> >> Parents: 2c4047e
> >> Author: andygumbrecht@apache.org <an...@gmx.de>
> >> Authored: Thu May 7 22:03:35 2015 +0200
> >> Committer: andygumbrecht@apache.org <an...@gmx.de>
> >> Committed: Thu May 7 22:03:35 2015 +0200
> >>
> >> ----------------------------------------------------------------------
> >> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
> >> .../java/org/apache/tomee/installer/Installer.java | 17
> +++++++++++++++++
> >> 2 files changed, 18 insertions(+), 1 deletion(-)
> >> ----------------------------------------------------------------------
> >>
> >>
> >>
> >>
> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >> ----------------------------------------------------------------------
> >> diff --git
> >>
> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >>
> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >> index 70fcf6f..17731b9 100644
> >> ---
> >>
> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >> +++
> >>
> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
> >> " <!-- TomEE plugin for Tomcat -->\n" +
> >> " <Listener
> >> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
> >> " <Service name=\"Catalina\">\n" +
> >> - " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
> >> />\n" +
> >> + " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
> >> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
> >> " <Engine name=\"Catalina\"
> defaultHost=\"localhost\">\n" +
> >> " <Host name=\"localhost\" appBase=\"webapps\"\n" +
> >> " unpackWARs=\"true\" autoDeploy=\"true\">\n" +
> >>
> >>
> >>
> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >> ----------------------------------------------------------------------
> >> diff --git
> >>
> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >>
> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >> index 0308c3d..60bd8f7 100644
> >> ---
> >>
> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >> +++
> >>
> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >> @@ -448,6 +448,23 @@ public class Installer implements
> InstallerInterface {
> >> alerts.addError("Error while adding listener to server.xml
> >> file", e);
> >> }
> >>
> >> + //Add TomEE header
> >> + try {
> >> + newServerXml = Installers.replace(serverXmlOriginal,
> >> + "<Connector port=\"8080\"",
> >> + "<Connector port=\"8080\"",
> >> + "/>",
> >> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
> >> +
> >> + newServerXml = Installers.replace(serverXmlOriginal,
> >> + "<Connector port=\"8443\"",
> >> + "<Connector port=\"8443\"",
> >> + "/>",
> >> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
> >> + } catch (final IOException e) {
> >> + alerts.addError("Error adding server attribute to
> server.xml
> >> file", e);
> >> + }
> >> +
> >> // overwrite server.xml
> >> if (Installers.writeAll(paths.getServerXmlFile(),
> newServerXml,
> >> alerts)) {
> >> alerts.addInfo("Add OpenEJB listener to server.xml");
> >>
> >>
> >>
>
> --
> Andy Gumbrecht
> https://twitter.com/AndyGeeDe
>
>
Re: tomee git commit: TomEE header
Posted by Andy <an...@gmx.de>.
Hey, there is this thing called an atomic bomb ....but don't press the
red button. :-D
On 08/05/2015 00:19, Andy wrote:
> I was just thinking 'Kindergarten', how strange...
>
> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
>> hmm this answer doesnt make sense for me, I surely miss something but
>> read
>> it like "hey there is this property you can switch on true but if you
>> google you'll see you shouldn't"
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> <http://rmannibucau.wordpress.com> | Github
>> <https://github.com/rmannibucau> |
>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> <http://www.tomitribe.com>
>>
>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
>>
>>> This is what I said and the reason I changed it. And yes the constants
>>> have that for 'server' now, and have also had other values in the past.
>>>
>>> So to be even more complete and correct myself.... changed it from
>>> "Apache
>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>>>
>>> @Romain: "you encourage it by making it on the front of the scene."
>>>
>>> That's like saying I'm encouraging someone to change the 'port',
>>> which is
>>> also potentially dangerous when put into the hands of an idiot.
>>> I like, and hope, to think that exposing a property would encourage
>>> someone to look it up before changing it blindly. The very first
>>> google hit
>>> on 'xpoweredBy' will enlighten even the most fickle reader.
>>>
>>> Sorry if my opinion just does not fit in on that. Another hour of my
>>> life
>>> wasted.
>>>
>>> Andy.
>>>
>>>
>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>>>
>>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>>>
>>>> Also, for completeness:
>>>>> xpoweredBy="*false*" activates nothing, if it were
>>>>> xpoweredBy="*true*"
>>>>> then maybe that might just 'activate' whatever it is you think is
>>>>> being
>>>>> activated here?
>>>>>
>>>>>
>>>>> you encourage it by making it on the front of the scene.
>>>>
>>>> server="*Apache TomEE*" merely changes the existing value and also
>>>>> 'activates' nothing. I don't see where you think this is a security
>>>>> issue?
>>>>> Happy to learn though, so please point me to the specific code
>>>>> that this
>>>>> affects?
>>>>>
>>>>>
>>>>> it is on by default is not overrided by the app.
>>>>
>>>> Andy.
>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>>>
>>>>> You activated 2 different headers which is useless since we change
>>>>>> serverinfo by default you already get tomee here.
>>>>>>
>>>>>> That said this is not the real issue. Doing it is a standard
>>>>>> security
>>>>>> issue, that is why it is off by default in tomcat so I suggest to
>>>>>> not
>>>>>> set
>>>>>> it on by default
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Romain Manni-Bucau
>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>> https://github.com/rmannibucau> |
>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>> <http://www.tomitribe.com>
>>>>>>
>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>
>>>>>> Some crawlers are using that header as the evaluation. Default is
>>>>>> Apache
>>>>>>
>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE
>>>>>>> will give
>>>>>>> us
>>>>>>> better standing.
>>>>>>>
>>>>>>> Andy.
>>>>>>>
>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>>>
>>>>>>> PS (sorry hit enter without wishing it): asking cause I wouldn't
>>>>>>> have it
>>>>>>>
>>>>>>>> on
>>>>>>>> by default as a user
>>>>>>>>
>>>>>>>>
>>>>>>>> Romain Manni-Bucau
>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>
>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau
>>>>>>>> <rmannibucau@gmail.com
>>>>>>>>> :
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> What's the goal? We already switch server info,isnt it enough?
>>>>>>>>> Romain Manni-Bucau
>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ---------- Forwarded message ----------
>>>>>>>>> From: <an...@apache.org>
>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>>>> To: commits@tomee.apache.org
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Repository: tomee
>>>>>>>>> Updated Branches:
>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> TomEE header
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>>>> Commit:
>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>>>
>>>>>>>>> Branch: refs/heads/master
>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>>>> Parents: 2c4047e
>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>>>>>> +++++++++++++++++
>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>>>
>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>> diff --git
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>
>>>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>>>> ---
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>
>>>>>>>>> +++
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>
>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>>>> " <Listener
>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>> />\n" +
>>>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>>>> " <Engine name=\"Catalina\"
>>>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>>>> " <Host name=\"localhost\"
>>>>>>>>> appBase=\"webapps\"\n"
>>>>>>>>> +
>>>>>>>>> " unpackWARs=\"true\"
>>>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>> diff --git
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>
>>>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>>>> ---
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>
>>>>>>>>> +++
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>
>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>>>> InstallerInterface {
>>>>>>>>> alerts.addError("Error while adding listener to
>>>>>>>>> server.xml
>>>>>>>>> file", e);
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> + //Add TomEE header
>>>>>>>>> + try {
>>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>> + "/>",
>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>> TomEE\"
>>>>>>>>> />");
>>>>>>>>> +
>>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>> + "/>",
>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>> TomEE\"
>>>>>>>>> />");
>>>>>>>>> + } catch (final IOException e) {
>>>>>>>>> + alerts.addError("Error adding server attribute to
>>>>>>>>> server.xml
>>>>>>>>> file", e);
>>>>>>>>> + }
>>>>>>>>> +
>>>>>>>>> // overwrite server.xml
>>>>>>>>> if (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>>>> newServerXml,
>>>>>>>>> alerts)) {
>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
>>>>>>>>> server.xml");
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>> Andy Gumbrecht
>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>> Andy Gumbrecht
>>>>> https://twitter.com/AndyGeeDe
>>>>>
>>>>>
>>>>>
>>> --
>>> Andy Gumbrecht
>>> https://twitter.com/AndyGeeDe
>>>
>>>
>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
That is the state with our defaults. Changing them is an option. Happy to
secure tomee by defaukt but no time atm
Le 8 mai 2015 14:45, "Mark Struberg" <st...@yahoo.de> a écrit :
> > What is the link?
>
> You are arguing that by hiding our identity we are more secure. And that’s
> simply not true.
>
>
> > Note also it breaks some monitoring tools like wz broke atmosphere
>
> The same can happen if the user changes the id string manually or if they
> are running behind a proxy/firewall.
> So not an issue. And vendors will adopt very quickly.
>
> LieGrue,
> strub
>
>
>
> > Am 08.05.2015 um 13:06 schrieb Romain Manni-Bucau <rmannibucau@gmail.com
> >:
> >
> > Le 8 mai 2015 11:40, "Mark Struberg" <st...@yahoo.de> a écrit :
> >>
> >>> you make tomee easily identifiable compared to tomcat (= any java
> > server of
> >>> the web more or less). This way it is super easy to know that you can
> >>> exploit a cxf issue for instance, thing you don’t know with default
> > header.
> >>
> >> Folks, lets weight the upsides and downsides
> >>
> >> * upside: we show up in stats
> >>
> >> * downside: easier to get hacked? WHY?
> >> All the scripts I do know are really blunt brute force. They f***g don’t
> > care about ANY headers. Of course they probably _sort_ their attacks, but
> > still they will use ALL vectors they have.
> >> Brute force attacks are almost never executed from the origin but always
> > hidden and executed by a zombie mob of hacked clients. So the origin
> > doesn’t care if some old grandmas Win98 PC needs a few seconds longer to
> > hack your server.
> >>
> >
> > Origin? What is the link? Scanners on aws are more and more clever. I
> cant
> > be sure yet they use resp headers but i wouldnt take the risk in
> particular
> > while default profile is used in tomee - dev one.
> >
> >> So basically it makes no sense to hide the fact that a server is running
> > TomEE.
> >>
> >
> > Note also it breaks some monitoring tools like wz broke atmosphere
> changing
> > server info (mea culpa but nobody said anything :()
> >
> >>
> >> LieGrue,
> >> strub
> >>
> >>
> >>
> >>> Am 08.05.2015 um 00:34 schrieb Romain Manni-Bucau <
> rmannibucau@gmail.com
> >> :
> >>>
> >>> 2015-05-08 0:32 GMT+02:00 Andy <an...@gmx.de>:
> >>>
> >>>> Yes yes whatever, you win (not that this was ever intended to be a
> >>>> competition, you just seem to enjoy making it into one every single
> >>>> time)... I am going to bed. Complete waste of my time. You still imply
> > that
> >>>> I have unsecured something?
> >>>>
> >>>>
> >>> you make tomee easily identifiable compared to tomcat (= any java
> > server of
> >>> the web more or less). This way it is super easy to know that you can
> >>> exploit a cxf issue for instance, thing you don't know with default
> > header.
> >>>
> >>>
> >>>> On 08/05/2015 00:26, Romain Manni-Bucau wrote:
> >>>>
> >>>>> not what I said.
> >>>>>
> >>>>> I said:
> >>>>> 1) over exposing a variable you shouldnt activate is useless
> >>>>> 2) we shouldnt set Apache TomEE to server variable by default
> >>>>>
> >>>>> Happy to replace these defaults by a server.xml.sample or anothing
> you
> >>>>> judge appropriated while we stay aligned on tomcat default secured
> >>>>> settings
> >>>>> (also note that Apache Coyote is secured cause most of servers have
> it
> >>>>> otherwise it would be as Apache TomEE)
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> Romain Manni-Bucau
> >>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>> https://github.com/rmannibucau> |
> >>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> >>>>> <http://www.tomitribe.com>
> >>>>>
> >>>>> 2015-05-08 0:24 GMT+02:00 Andy <an...@gmx.de>:
> >>>>>
> >>>>> Hmm, so why do you want to treat the system administrator like one?
> >>>>>>
> >>>>>> On 08/05/2015 00:21, Romain Manni-Bucau wrote:
> >>>>>>
> >>>>>> Sure security is all about children...
> >>>>>>>
> >>>>>>>
> >>>>>>> Romain Manni-Bucau
> >>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>>>> https://github.com/rmannibucau> |
> >>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> >>>>>>> <http://www.tomitribe.com>
> >>>>>>>
> >>>>>>> 2015-05-08 0:19 GMT+02:00 Andy <an...@gmx.de>:
> >>>>>>>
> >>>>>>> I was just thinking 'Kindergarten', how strange...
> >>>>>>>
> >>>>>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
> >>>>>>>>
> >>>>>>>> hmm this answer doesnt make sense for me, I surely miss something
> > but
> >>>>>>>>
> >>>>>>>>> read
> >>>>>>>>> it like "hey there is this property you can switch on true but if
> > you
> >>>>>>>>> google you'll see you shouldn't"
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Romain Manni-Bucau
> >>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>>>>>> https://github.com/rmannibucau> |
> >>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> >>>>>>>>> <http://www.tomitribe.com>
> >>>>>>>>>
> >>>>>>>>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
> >>>>>>>>>
> >>>>>>>>> This is what I said and the reason I changed it. And yes the
> >>>>>>>>> constants
> >>>>>>>>>
> >>>>>>>>> have that for 'server' now, and have also had other values in the
> >>>>>>>>>> past.
> >>>>>>>>>>
> >>>>>>>>>> So to be even more complete and correct myself.... changed it
> > from
> >>>>>>>>>> "Apache
> >>>>>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
> >>>>>>>>>>
> >>>>>>>>>> @Romain: "you encourage it by making it on the front of the
> > scene."
> >>>>>>>>>>
> >>>>>>>>>> That's like saying I'm encouraging someone to change the 'port',
> >>>>>>>>>> which
> >>>>>>>>>> is
> >>>>>>>>>> also potentially dangerous when put into the hands of an idiot.
> >>>>>>>>>> I like, and hope, to think that exposing a property would
> > encourage
> >>>>>>>>>> someone to look it up before changing it blindly. The very first
> >>>>>>>>>> google
> >>>>>>>>>> hit
> >>>>>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader.
> >>>>>>>>>>
> >>>>>>>>>> Sorry if my opinion just does not fit in on that. Another hour
> > of my
> >>>>>>>>>> life
> >>>>>>>>>> wasted.
> >>>>>>>>>>
> >>>>>>>>>> Andy.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
> >>>>>>>>>>
> >>>>>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
> >>>>>>>>>>
> >>>>>>>>>> Also, for completeness:
> >>>>>>>>>>>
> >>>>>>>>>>> xpoweredBy="*false*" activates nothing, if it were
> >>>>>>>>>>>
> >>>>>>>>>>>> xpoweredBy="*true*"
> >>>>>>>>>>>> then maybe that might just 'activate' whatever it is you think
> > is
> >>>>>>>>>>>> being
> >>>>>>>>>>>> activated here?
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> you encourage it by making it on the front of the scene.
> >>>>>>>>>>>>
> >>>>>>>>>>>> server="*Apache TomEE*" merely changes the existing value
> > and
> >>>>>>>>>>>>
> >>>>>>>>>>> also
> >>>>>>>>>>>
> >>>>>>>>>>> 'activates' nothing. I don't see where you think this is a
> >>>>>>>>>>> security
> >>>>>>>>>>>
> >>>>>>>>>>>> issue?
> >>>>>>>>>>>> Happy to learn though, so please point me to the specific code
> > that
> >>>>>>>>>>>> this
> >>>>>>>>>>>> affects?
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> it is on by default is not overrided by the app.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Andy.
> >>>>>>>>>>>>
> >>>>>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> You activated 2 different headers which is useless since we
> >>>>>>>>>>>> change
> >>>>>>>>>>>>
> >>>>>>>>>>>> serverinfo by default you already get tomee here.
> >>>>>>>>>>>>
> >>>>>>>>>>>>> That said this is not the real issue. Doing it is a standard
> >>>>>>>>>>>>> security
> >>>>>>>>>>>>> issue, that is why it is off by default in tomcat so I
> > suggest to
> >>>>>>>>>>>>> not
> >>>>>>>>>>>>> set
> >>>>>>>>>>>>> it on by default
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Romain Manni-Bucau
> >>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>>>>>>>>>> https://github.com/rmannibucau> |
> >>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> |
> > Tomitriber
> >>>>>>>>>>>>> <http://www.tomitribe.com>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Some crawlers are using that header as the evaluation.
> >>>>>>>>>>>>> Default
> >>>>>>>>>>>>> is
> >>>>>>>>>>>>> Apache
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE
> >>>>>>>>>>>>> will
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> give
> >>>>>>>>>>>>>> us
> >>>>>>>>>>>>>> better standing.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Andy.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I
> >>>>>>>>>>>>>> wouldn't
> >>>>>>>>>>>>>> have it
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> on
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> by default as a user
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Romain Manni-Bucau
> >>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>>>>>>>>>>>> https://github.com/rmannibucau> |
> >>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> |
> > Tomitriber
> >>>>>>>>>>>>>>> <http://www.tomitribe.com>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
> >>>>>>>>>>>>>>> rmannibucau@gmail.com
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> :
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Hi
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> What's the goal? We already switch server info,isnt it
> >>>>>>>>>>>>>>> enough?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Romain Manni-Bucau
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
> >>>>>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
> >>>>>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> >>>>>>>>>>>>>>>> <http://www.tomitribe.com>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> ---------- Forwarded message ----------
> >>>>>>>>>>>>>>>> From: <an...@apache.org>
> >>>>>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
> >>>>>>>>>>>>>>>> Subject: tomee git commit: TomEE header
> >>>>>>>>>>>>>>>> To: commits@tomee.apache.org
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Repository: tomee
> >>>>>>>>>>>>>>>> Updated Branches:
> >>>>>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> TomEE header
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Project:
> http://git-wip-us.apache.org/repos/asf/tomee/repo
> >>>>>>>>>>>>>>>> Commit:
> >>>>>>>>>>>>>>>>
> > http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
> >>>>>>>>>>>>>>>> Tree:
> >>>>>>>>>>>>>>>>
> http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
> >>>>>>>>>>>>>>>> Diff:
> >>>>>>>>>>>>>>>>
> http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Branch: refs/heads/master
> >>>>>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
> >>>>>>>>>>>>>>>> Parents: 2c4047e
> >>>>>>>>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
> >>>>>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
> >>>>>>>>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
> >>>>>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> > ----------------------------------------------------------------------
> >>>>>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java
> > | 2
> >>>>>>>>>>>>>>>> +-
> >>>>>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java |
> > 17
> >>>>>>>>>>>>>>>> +++++++++++++++++
> >>>>>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> > ----------------------------------------------------------------------
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> > ----------------------------------------------------------------------
> >>>>>>>>>>>>>>>> diff --git
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >>>>>>>>>>>>>>>> index 70fcf6f..17731b9 100644
> >>>>>>>>>>>>>>>> ---
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >>>>>>>>>>>>>>>> +++
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >>>>>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
> >>>>>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
> >>>>>>>>>>>>>>>> " <Listener
> >>>>>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\"
> > />\n" +
> >>>>>>>>>>>>>>>> " <Service name=\"Catalina\">\n" +
> >>>>>>>>>>>>>>>> - " <Connector port=\"" + http + "\"
> >>>>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
> >>>>>>>>>>>>>>>> />\n" +
> >>>>>>>>>>>>>>>> + " <Connector port=\"" + http + "\"
> >>>>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
> >>>>>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
> >>>>>>>>>>>>>>>> " <Engine name=\"Catalina\"
> >>>>>>>>>>>>>>>> defaultHost=\"localhost\">\n" +
> >>>>>>>>>>>>>>>> " <Host name=\"localhost\"
> >>>>>>>>>>>>>>>> appBase=\"webapps\"\n"
> >>>>>>>>>>>>>>>> +
> >>>>>>>>>>>>>>>> " unpackWARs=\"true\"
> >>>>>>>>>>>>>>>> autoDeploy=\"true\">\n" +
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> > ----------------------------------------------------------------------
> >>>>>>>>>>>>>>>> diff --git
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >>>>>>>>>>>>>>>> index 0308c3d..60bd8f7 100644
> >>>>>>>>>>>>>>>> ---
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >>>>>>>>>>>>>>>> +++
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >>>>>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
> >>>>>>>>>>>>>>>> InstallerInterface {
> >>>>>>>>>>>>>>>> alerts.addError("Error while adding
> >>>>>>>>>>>>>>>> listener to
> >>>>>>>>>>>>>>>> server.xml
> >>>>>>>>>>>>>>>> file", e);
> >>>>>>>>>>>>>>>> }
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> + //Add TomEE header
> >>>>>>>>>>>>>>>> + try {
> >>>>>>>>>>>>>>>> + newServerXml =
> >>>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
> >>>>>>>>>>>>>>>> + "<Connector port=\"8080\"",
> >>>>>>>>>>>>>>>> + "<Connector port=\"8080\"",
> >>>>>>>>>>>>>>>> + "/>",
> >>>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
> >>>>>>>>>>>>>>>> TomEE\"
> >>>>>>>>>>>>>>>> />");
> >>>>>>>>>>>>>>>> +
> >>>>>>>>>>>>>>>> + newServerXml =
> >>>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
> >>>>>>>>>>>>>>>> + "<Connector port=\"8443\"",
> >>>>>>>>>>>>>>>> + "<Connector port=\"8443\"",
> >>>>>>>>>>>>>>>> + "/>",
> >>>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
> >>>>>>>>>>>>>>>> TomEE\"
> >>>>>>>>>>>>>>>> />");
> >>>>>>>>>>>>>>>> + } catch (final IOException e) {
> >>>>>>>>>>>>>>>> + alerts.addError("Error adding server
> > attribute to
> >>>>>>>>>>>>>>>> server.xml
> >>>>>>>>>>>>>>>> file", e);
> >>>>>>>>>>>>>>>> + }
> >>>>>>>>>>>>>>>> +
> >>>>>>>>>>>>>>>> // overwrite server.xml
> >>>>>>>>>>>>>>>> if
> >>>>>>>>>>>>>>>> (Installers.writeAll(paths.getServerXmlFile(),
> >>>>>>>>>>>>>>>> newServerXml,
> >>>>>>>>>>>>>>>> alerts)) {
> >>>>>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
> >>>>>>>>>>>>>>>> server.xml");
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Andy Gumbrecht
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> https://twitter.com/AndyGeeDe
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Andy Gumbrecht
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>> https://twitter.com/AndyGeeDe
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> --
> >>>>>>>>>>>>
> >>>>>>>>>>>> Andy Gumbrecht
> >>>>>>>>>>>
> >>>>>>>>>> https://twitter.com/AndyGeeDe
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>>
> >>>>>>>>> Andy Gumbrecht
> >>>>>>>> https://twitter.com/AndyGeeDe
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>> Andy Gumbrecht
> >>>>>> https://twitter.com/AndyGeeDe
> >>>>>>
> >>>>>>
> >>>>>>
> >>>> --
> >>>> Andy Gumbrecht
> >>>> https://twitter.com/AndyGeeDe
> >>>>
> >>>>
> >>
>
>
Re: tomee git commit: TomEE header
Posted by Mark Struberg <st...@yahoo.de>.
> What is the link?
You are arguing that by hiding our identity we are more secure. And that’s simply not true.
> Note also it breaks some monitoring tools like wz broke atmosphere
The same can happen if the user changes the id string manually or if they are running behind a proxy/firewall.
So not an issue. And vendors will adopt very quickly.
LieGrue,
strub
> Am 08.05.2015 um 13:06 schrieb Romain Manni-Bucau <rm...@gmail.com>:
>
> Le 8 mai 2015 11:40, "Mark Struberg" <st...@yahoo.de> a écrit :
>>
>>> you make tomee easily identifiable compared to tomcat (= any java
> server of
>>> the web more or less). This way it is super easy to know that you can
>>> exploit a cxf issue for instance, thing you don’t know with default
> header.
>>
>> Folks, lets weight the upsides and downsides
>>
>> * upside: we show up in stats
>>
>> * downside: easier to get hacked? WHY?
>> All the scripts I do know are really blunt brute force. They f***g don’t
> care about ANY headers. Of course they probably _sort_ their attacks, but
> still they will use ALL vectors they have.
>> Brute force attacks are almost never executed from the origin but always
> hidden and executed by a zombie mob of hacked clients. So the origin
> doesn’t care if some old grandmas Win98 PC needs a few seconds longer to
> hack your server.
>>
>
> Origin? What is the link? Scanners on aws are more and more clever. I cant
> be sure yet they use resp headers but i wouldnt take the risk in particular
> while default profile is used in tomee - dev one.
>
>> So basically it makes no sense to hide the fact that a server is running
> TomEE.
>>
>
> Note also it breaks some monitoring tools like wz broke atmosphere changing
> server info (mea culpa but nobody said anything :()
>
>>
>> LieGrue,
>> strub
>>
>>
>>
>>> Am 08.05.2015 um 00:34 schrieb Romain Manni-Bucau <rmannibucau@gmail.com
>> :
>>>
>>> 2015-05-08 0:32 GMT+02:00 Andy <an...@gmx.de>:
>>>
>>>> Yes yes whatever, you win (not that this was ever intended to be a
>>>> competition, you just seem to enjoy making it into one every single
>>>> time)... I am going to bed. Complete waste of my time. You still imply
> that
>>>> I have unsecured something?
>>>>
>>>>
>>> you make tomee easily identifiable compared to tomcat (= any java
> server of
>>> the web more or less). This way it is super easy to know that you can
>>> exploit a cxf issue for instance, thing you don't know with default
> header.
>>>
>>>
>>>> On 08/05/2015 00:26, Romain Manni-Bucau wrote:
>>>>
>>>>> not what I said.
>>>>>
>>>>> I said:
>>>>> 1) over exposing a variable you shouldnt activate is useless
>>>>> 2) we shouldnt set Apache TomEE to server variable by default
>>>>>
>>>>> Happy to replace these defaults by a server.xml.sample or anothing you
>>>>> judge appropriated while we stay aligned on tomcat default secured
>>>>> settings
>>>>> (also note that Apache Coyote is secured cause most of servers have it
>>>>> otherwise it would be as Apache TomEE)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Romain Manni-Bucau
>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>> https://github.com/rmannibucau> |
>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>> <http://www.tomitribe.com>
>>>>>
>>>>> 2015-05-08 0:24 GMT+02:00 Andy <an...@gmx.de>:
>>>>>
>>>>> Hmm, so why do you want to treat the system administrator like one?
>>>>>>
>>>>>> On 08/05/2015 00:21, Romain Manni-Bucau wrote:
>>>>>>
>>>>>> Sure security is all about children...
>>>>>>>
>>>>>>>
>>>>>>> Romain Manni-Bucau
>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>> https://github.com/rmannibucau> |
>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>> <http://www.tomitribe.com>
>>>>>>>
>>>>>>> 2015-05-08 0:19 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>
>>>>>>> I was just thinking 'Kindergarten', how strange...
>>>>>>>
>>>>>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
>>>>>>>>
>>>>>>>> hmm this answer doesnt make sense for me, I surely miss something
> but
>>>>>>>>
>>>>>>>>> read
>>>>>>>>> it like "hey there is this property you can switch on true but if
> you
>>>>>>>>> google you'll see you shouldn't"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Romain Manni-Bucau
>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>
>>>>>>>>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>>
>>>>>>>>> This is what I said and the reason I changed it. And yes the
>>>>>>>>> constants
>>>>>>>>>
>>>>>>>>> have that for 'server' now, and have also had other values in the
>>>>>>>>>> past.
>>>>>>>>>>
>>>>>>>>>> So to be even more complete and correct myself.... changed it
> from
>>>>>>>>>> "Apache
>>>>>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>>>>>>>>>>
>>>>>>>>>> @Romain: "you encourage it by making it on the front of the
> scene."
>>>>>>>>>>
>>>>>>>>>> That's like saying I'm encouraging someone to change the 'port',
>>>>>>>>>> which
>>>>>>>>>> is
>>>>>>>>>> also potentially dangerous when put into the hands of an idiot.
>>>>>>>>>> I like, and hope, to think that exposing a property would
> encourage
>>>>>>>>>> someone to look it up before changing it blindly. The very first
>>>>>>>>>> google
>>>>>>>>>> hit
>>>>>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader.
>>>>>>>>>>
>>>>>>>>>> Sorry if my opinion just does not fit in on that. Another hour
> of my
>>>>>>>>>> life
>>>>>>>>>> wasted.
>>>>>>>>>>
>>>>>>>>>> Andy.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>>>>>>>>>>
>>>>>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>>>
>>>>>>>>>> Also, for completeness:
>>>>>>>>>>>
>>>>>>>>>>> xpoweredBy="*false*" activates nothing, if it were
>>>>>>>>>>>
>>>>>>>>>>>> xpoweredBy="*true*"
>>>>>>>>>>>> then maybe that might just 'activate' whatever it is you think
> is
>>>>>>>>>>>> being
>>>>>>>>>>>> activated here?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> you encourage it by making it on the front of the scene.
>>>>>>>>>>>>
>>>>>>>>>>>> server="*Apache TomEE*" merely changes the existing value
> and
>>>>>>>>>>>>
>>>>>>>>>>> also
>>>>>>>>>>>
>>>>>>>>>>> 'activates' nothing. I don't see where you think this is a
>>>>>>>>>>> security
>>>>>>>>>>>
>>>>>>>>>>>> issue?
>>>>>>>>>>>> Happy to learn though, so please point me to the specific code
> that
>>>>>>>>>>>> this
>>>>>>>>>>>> affects?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> it is on by default is not overrided by the app.
>>>>>>>>>>>>
>>>>>>>>>>>> Andy.
>>>>>>>>>>>>
>>>>>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>>>>>>>>>
>>>>>>>>>>>> You activated 2 different headers which is useless since we
>>>>>>>>>>>> change
>>>>>>>>>>>>
>>>>>>>>>>>> serverinfo by default you already get tomee here.
>>>>>>>>>>>>
>>>>>>>>>>>>> That said this is not the real issue. Doing it is a standard
>>>>>>>>>>>>> security
>>>>>>>>>>>>> issue, that is why it is off by default in tomcat so I
> suggest to
>>>>>>>>>>>>> not
>>>>>>>>>>>>> set
>>>>>>>>>>>>> it on by default
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> |
> Tomitriber
>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Some crawlers are using that header as the evaluation.
>>>>>>>>>>>>> Default
>>>>>>>>>>>>> is
>>>>>>>>>>>>> Apache
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE
>>>>>>>>>>>>> will
>>>>>>>>>>>>>
>>>>>>>>>>>>> give
>>>>>>>>>>>>>> us
>>>>>>>>>>>>>> better standing.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Andy.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I
>>>>>>>>>>>>>> wouldn't
>>>>>>>>>>>>>> have it
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> on
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> by default as a user
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> |
> Tomitriber
>>>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
>>>>>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> What's the goal? We already switch server info,isnt it
>>>>>>>>>>>>>>> enough?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ---------- Forwarded message ----------
>>>>>>>>>>>>>>>> From: <an...@apache.org>
>>>>>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>>>>>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>>>>>>>>>>> To: commits@tomee.apache.org
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Repository: tomee
>>>>>>>>>>>>>>>> Updated Branches:
>>>>>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> TomEE header
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>>>>>>>>>>> Commit:
>>>>>>>>>>>>>>>>
> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>>>>>>>>>>> Tree:
>>>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>>>>>>>>>>> Diff:
>>>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Branch: refs/heads/master
>>>>>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>>>>>>>>>>> Parents: 2c4047e
>>>>>>>>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> ----------------------------------------------------------------------
>>>>>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java
> | 2
>>>>>>>>>>>>>>>> +-
>>>>>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java |
> 17
>>>>>>>>>>>>>>>> +++++++++++++++++
>>>>>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> ----------------------------------------------------------------------
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> ----------------------------------------------------------------------
>>>>>>>>>>>>>>>> diff --git
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>> +++
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>>>>>>>>>>> " <Listener
>>>>>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\"
> />\n" +
>>>>>>>>>>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>>>>>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>>>>>> />\n" +
>>>>>>>>>>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>>>>>>>>>>> " <Engine name=\"Catalina\"
>>>>>>>>>>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>>>>>>>>>>> " <Host name=\"localhost\"
>>>>>>>>>>>>>>>> appBase=\"webapps\"\n"
>>>>>>>>>>>>>>>> +
>>>>>>>>>>>>>>>> " unpackWARs=\"true\"
>>>>>>>>>>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> ----------------------------------------------------------------------
>>>>>>>>>>>>>>>> diff --git
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>>> +++
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>>>>>>>>>>> InstallerInterface {
>>>>>>>>>>>>>>>> alerts.addError("Error while adding
>>>>>>>>>>>>>>>> listener to
>>>>>>>>>>>>>>>> server.xml
>>>>>>>>>>>>>>>> file", e);
>>>>>>>>>>>>>>>> }
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> + //Add TomEE header
>>>>>>>>>>>>>>>> + try {
>>>>>>>>>>>>>>>> + newServerXml =
>>>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
>>>>>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>>>>>> + "/>",
>>>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>>>>>> />");
>>>>>>>>>>>>>>>> +
>>>>>>>>>>>>>>>> + newServerXml =
>>>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
>>>>>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>>>>>> + "/>",
>>>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>>>>>> />");
>>>>>>>>>>>>>>>> + } catch (final IOException e) {
>>>>>>>>>>>>>>>> + alerts.addError("Error adding server
> attribute to
>>>>>>>>>>>>>>>> server.xml
>>>>>>>>>>>>>>>> file", e);
>>>>>>>>>>>>>>>> + }
>>>>>>>>>>>>>>>> +
>>>>>>>>>>>>>>>> // overwrite server.xml
>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>> (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>>>>>>>>>>> newServerXml,
>>>>>>>>>>>>>>>> alerts)) {
>>>>>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
>>>>>>>>>>>>>>>> server.xml");
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>>>
>>>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>
>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>> Andy Gumbrecht
>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>> Andy Gumbrecht
>>>>>> https://twitter.com/AndyGeeDe
>>>>>>
>>>>>>
>>>>>>
>>>> --
>>>> Andy Gumbrecht
>>>> https://twitter.com/AndyGeeDe
>>>>
>>>>
>>
Re: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Le 8 mai 2015 11:40, "Mark Struberg" <st...@yahoo.de> a écrit :
>
> > you make tomee easily identifiable compared to tomcat (= any java
server of
> > the web more or less). This way it is super easy to know that you can
> > exploit a cxf issue for instance, thing you don’t know with default
header.
>
> Folks, lets weight the upsides and downsides
>
> * upside: we show up in stats
>
> * downside: easier to get hacked? WHY?
> All the scripts I do know are really blunt brute force. They f***g don’t
care about ANY headers. Of course they probably _sort_ their attacks, but
still they will use ALL vectors they have.
> Brute force attacks are almost never executed from the origin but always
hidden and executed by a zombie mob of hacked clients. So the origin
doesn’t care if some old grandmas Win98 PC needs a few seconds longer to
hack your server.
>
Origin? What is the link? Scanners on aws are more and more clever. I cant
be sure yet they use resp headers but i wouldnt take the risk in particular
while default profile is used in tomee - dev one.
> So basically it makes no sense to hide the fact that a server is running
TomEE.
>
Note also it breaks some monitoring tools like wz broke atmosphere changing
server info (mea culpa but nobody said anything :()
>
> LieGrue,
> strub
>
>
>
> > Am 08.05.2015 um 00:34 schrieb Romain Manni-Bucau <rmannibucau@gmail.com
>:
> >
> > 2015-05-08 0:32 GMT+02:00 Andy <an...@gmx.de>:
> >
> >> Yes yes whatever, you win (not that this was ever intended to be a
> >> competition, you just seem to enjoy making it into one every single
> >> time)... I am going to bed. Complete waste of my time. You still imply
that
> >> I have unsecured something?
> >>
> >>
> > you make tomee easily identifiable compared to tomcat (= any java
server of
> > the web more or less). This way it is super easy to know that you can
> > exploit a cxf issue for instance, thing you don't know with default
header.
> >
> >
> >> On 08/05/2015 00:26, Romain Manni-Bucau wrote:
> >>
> >>> not what I said.
> >>>
> >>> I said:
> >>> 1) over exposing a variable you shouldnt activate is useless
> >>> 2) we shouldnt set Apache TomEE to server variable by default
> >>>
> >>> Happy to replace these defaults by a server.xml.sample or anothing you
> >>> judge appropriated while we stay aligned on tomcat default secured
> >>> settings
> >>> (also note that Apache Coyote is secured cause most of servers have it
> >>> otherwise it would be as Apache TomEE)
> >>>
> >>>
> >>>
> >>>
> >>> Romain Manni-Bucau
> >>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>> <http://rmannibucau.wordpress.com> | Github <
> >>> https://github.com/rmannibucau> |
> >>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> >>> <http://www.tomitribe.com>
> >>>
> >>> 2015-05-08 0:24 GMT+02:00 Andy <an...@gmx.de>:
> >>>
> >>> Hmm, so why do you want to treat the system administrator like one?
> >>>>
> >>>> On 08/05/2015 00:21, Romain Manni-Bucau wrote:
> >>>>
> >>>> Sure security is all about children...
> >>>>>
> >>>>>
> >>>>> Romain Manni-Bucau
> >>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>> https://github.com/rmannibucau> |
> >>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> >>>>> <http://www.tomitribe.com>
> >>>>>
> >>>>> 2015-05-08 0:19 GMT+02:00 Andy <an...@gmx.de>:
> >>>>>
> >>>>> I was just thinking 'Kindergarten', how strange...
> >>>>>
> >>>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
> >>>>>>
> >>>>>> hmm this answer doesnt make sense for me, I surely miss something
but
> >>>>>>
> >>>>>>> read
> >>>>>>> it like "hey there is this property you can switch on true but if
you
> >>>>>>> google you'll see you shouldn't"
> >>>>>>>
> >>>>>>>
> >>>>>>> Romain Manni-Bucau
> >>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>>>> https://github.com/rmannibucau> |
> >>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> >>>>>>> <http://www.tomitribe.com>
> >>>>>>>
> >>>>>>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
> >>>>>>>
> >>>>>>> This is what I said and the reason I changed it. And yes the
> >>>>>>> constants
> >>>>>>>
> >>>>>>> have that for 'server' now, and have also had other values in the
> >>>>>>>> past.
> >>>>>>>>
> >>>>>>>> So to be even more complete and correct myself.... changed it
from
> >>>>>>>> "Apache
> >>>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
> >>>>>>>>
> >>>>>>>> @Romain: "you encourage it by making it on the front of the
scene."
> >>>>>>>>
> >>>>>>>> That's like saying I'm encouraging someone to change the 'port',
> >>>>>>>> which
> >>>>>>>> is
> >>>>>>>> also potentially dangerous when put into the hands of an idiot.
> >>>>>>>> I like, and hope, to think that exposing a property would
encourage
> >>>>>>>> someone to look it up before changing it blindly. The very first
> >>>>>>>> google
> >>>>>>>> hit
> >>>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader.
> >>>>>>>>
> >>>>>>>> Sorry if my opinion just does not fit in on that. Another hour
of my
> >>>>>>>> life
> >>>>>>>> wasted.
> >>>>>>>>
> >>>>>>>> Andy.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
> >>>>>>>>
> >>>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
> >>>>>>>>
> >>>>>>>> Also, for completeness:
> >>>>>>>>>
> >>>>>>>>> xpoweredBy="*false*" activates nothing, if it were
> >>>>>>>>>
> >>>>>>>>>> xpoweredBy="*true*"
> >>>>>>>>>> then maybe that might just 'activate' whatever it is you think
is
> >>>>>>>>>> being
> >>>>>>>>>> activated here?
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> you encourage it by making it on the front of the scene.
> >>>>>>>>>>
> >>>>>>>>>> server="*Apache TomEE*" merely changes the existing value
and
> >>>>>>>>>>
> >>>>>>>>> also
> >>>>>>>>>
> >>>>>>>>> 'activates' nothing. I don't see where you think this is a
> >>>>>>>>> security
> >>>>>>>>>
> >>>>>>>>>> issue?
> >>>>>>>>>> Happy to learn though, so please point me to the specific code
that
> >>>>>>>>>> this
> >>>>>>>>>> affects?
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> it is on by default is not overrided by the app.
> >>>>>>>>>>
> >>>>>>>>>> Andy.
> >>>>>>>>>>
> >>>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
> >>>>>>>>>
> >>>>>>>>>> You activated 2 different headers which is useless since we
> >>>>>>>>>> change
> >>>>>>>>>>
> >>>>>>>>>> serverinfo by default you already get tomee here.
> >>>>>>>>>>
> >>>>>>>>>>> That said this is not the real issue. Doing it is a standard
> >>>>>>>>>>> security
> >>>>>>>>>>> issue, that is why it is off by default in tomcat so I
suggest to
> >>>>>>>>>>> not
> >>>>>>>>>>> set
> >>>>>>>>>>> it on by default
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> Romain Manni-Bucau
> >>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>>>>>>>> https://github.com/rmannibucau> |
> >>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> |
Tomitriber
> >>>>>>>>>>> <http://www.tomitribe.com>
> >>>>>>>>>>>
> >>>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
> >>>>>>>>>>>
> >>>>>>>>>>> Some crawlers are using that header as the evaluation.
> >>>>>>>>>>> Default
> >>>>>>>>>>> is
> >>>>>>>>>>> Apache
> >>>>>>>>>>>
> >>>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE
> >>>>>>>>>>> will
> >>>>>>>>>>>
> >>>>>>>>>>> give
> >>>>>>>>>>>> us
> >>>>>>>>>>>> better standing.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Andy.
> >>>>>>>>>>>>
> >>>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I
> >>>>>>>>>>>> wouldn't
> >>>>>>>>>>>> have it
> >>>>>>>>>>>>
> >>>>>>>>>>>> on
> >>>>>>>>>>>>
> >>>>>>>>>>>> by default as a user
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Romain Manni-Bucau
> >>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>>>>>>>>>> https://github.com/rmannibucau> |
> >>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> |
Tomitriber
> >>>>>>>>>>>>> <http://www.tomitribe.com>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
> >>>>>>>>>>>>> rmannibucau@gmail.com
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> :
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Hi
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>> What's the goal? We already switch server info,isnt it
> >>>>>>>>>>>>> enough?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Romain Manni-Bucau
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
> >>>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
> >>>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> >>>>>>>>>>>>>> <http://www.tomitribe.com>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> ---------- Forwarded message ----------
> >>>>>>>>>>>>>> From: <an...@apache.org>
> >>>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
> >>>>>>>>>>>>>> Subject: tomee git commit: TomEE header
> >>>>>>>>>>>>>> To: commits@tomee.apache.org
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Repository: tomee
> >>>>>>>>>>>>>> Updated Branches:
> >>>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> TomEE header
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
> >>>>>>>>>>>>>> Commit:
> >>>>>>>>>>>>>>
http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
> >>>>>>>>>>>>>> Tree:
> >>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
> >>>>>>>>>>>>>> Diff:
> >>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Branch: refs/heads/master
> >>>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
> >>>>>>>>>>>>>> Parents: 2c4047e
> >>>>>>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
> >>>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
> >>>>>>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
> >>>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
----------------------------------------------------------------------
> >>>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java
| 2
> >>>>>>>>>>>>>> +-
> >>>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java |
17
> >>>>>>>>>>>>>> +++++++++++++++++
> >>>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
----------------------------------------------------------------------
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
----------------------------------------------------------------------
> >>>>>>>>>>>>>> diff --git
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >>>>>>>>>>>>>> index 70fcf6f..17731b9 100644
> >>>>>>>>>>>>>> ---
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >>>>>>>>>>>>>> +++
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> >>>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
> >>>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
> >>>>>>>>>>>>>> " <Listener
> >>>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\"
/>\n" +
> >>>>>>>>>>>>>> " <Service name=\"Catalina\">\n" +
> >>>>>>>>>>>>>> - " <Connector port=\"" + http + "\"
> >>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
> >>>>>>>>>>>>>> />\n" +
> >>>>>>>>>>>>>> + " <Connector port=\"" + http + "\"
> >>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
> >>>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
> >>>>>>>>>>>>>> " <Engine name=\"Catalina\"
> >>>>>>>>>>>>>> defaultHost=\"localhost\">\n" +
> >>>>>>>>>>>>>> " <Host name=\"localhost\"
> >>>>>>>>>>>>>> appBase=\"webapps\"\n"
> >>>>>>>>>>>>>> +
> >>>>>>>>>>>>>> " unpackWARs=\"true\"
> >>>>>>>>>>>>>> autoDeploy=\"true\">\n" +
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
----------------------------------------------------------------------
> >>>>>>>>>>>>>> diff --git
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >>>>>>>>>>>>>> index 0308c3d..60bd8f7 100644
> >>>>>>>>>>>>>> ---
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >>>>>>>>>>>>>> +++
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> >>>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
> >>>>>>>>>>>>>> InstallerInterface {
> >>>>>>>>>>>>>> alerts.addError("Error while adding
> >>>>>>>>>>>>>> listener to
> >>>>>>>>>>>>>> server.xml
> >>>>>>>>>>>>>> file", e);
> >>>>>>>>>>>>>> }
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> + //Add TomEE header
> >>>>>>>>>>>>>> + try {
> >>>>>>>>>>>>>> + newServerXml =
> >>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
> >>>>>>>>>>>>>> + "<Connector port=\"8080\"",
> >>>>>>>>>>>>>> + "<Connector port=\"8080\"",
> >>>>>>>>>>>>>> + "/>",
> >>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
> >>>>>>>>>>>>>> TomEE\"
> >>>>>>>>>>>>>> />");
> >>>>>>>>>>>>>> +
> >>>>>>>>>>>>>> + newServerXml =
> >>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
> >>>>>>>>>>>>>> + "<Connector port=\"8443\"",
> >>>>>>>>>>>>>> + "<Connector port=\"8443\"",
> >>>>>>>>>>>>>> + "/>",
> >>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
> >>>>>>>>>>>>>> TomEE\"
> >>>>>>>>>>>>>> />");
> >>>>>>>>>>>>>> + } catch (final IOException e) {
> >>>>>>>>>>>>>> + alerts.addError("Error adding server
attribute to
> >>>>>>>>>>>>>> server.xml
> >>>>>>>>>>>>>> file", e);
> >>>>>>>>>>>>>> + }
> >>>>>>>>>>>>>> +
> >>>>>>>>>>>>>> // overwrite server.xml
> >>>>>>>>>>>>>> if
> >>>>>>>>>>>>>> (Installers.writeAll(paths.getServerXmlFile(),
> >>>>>>>>>>>>>> newServerXml,
> >>>>>>>>>>>>>> alerts)) {
> >>>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
> >>>>>>>>>>>>>> server.xml");
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Andy Gumbrecht
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> https://twitter.com/AndyGeeDe
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> --
> >>>>>>>>>>>>
> >>>>>>>>>>>> Andy Gumbrecht
> >>>>>>>>>>>>
> >>>>>>>>>>> https://twitter.com/AndyGeeDe
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>>
> >>>>>>>>>> Andy Gumbrecht
> >>>>>>>>>
> >>>>>>>> https://twitter.com/AndyGeeDe
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>>
> >>>>>>> Andy Gumbrecht
> >>>>>> https://twitter.com/AndyGeeDe
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>> Andy Gumbrecht
> >>>> https://twitter.com/AndyGeeDe
> >>>>
> >>>>
> >>>>
> >> --
> >> Andy Gumbrecht
> >> https://twitter.com/AndyGeeDe
> >>
> >>
>
Re: tomee git commit: TomEE header
Posted by Mark Struberg <st...@yahoo.de>.
> you make tomee easily identifiable compared to tomcat (= any java server of
> the web more or less). This way it is super easy to know that you can
> exploit a cxf issue for instance, thing you don’t know with default header.
Folks, lets weight the upsides and downsides
* upside: we show up in stats
* downside: easier to get hacked? WHY?
All the scripts I do know are really blunt brute force. They f***g don’t care about ANY headers. Of course they probably _sort_ their attacks, but still they will use ALL vectors they have.
Brute force attacks are almost never executed from the origin but always hidden and executed by a zombie mob of hacked clients. So the origin doesn’t care if some old grandmas Win98 PC needs a few seconds longer to hack your server.
So basically it makes no sense to hide the fact that a server is running TomEE.
LieGrue,
strub
> Am 08.05.2015 um 00:34 schrieb Romain Manni-Bucau <rm...@gmail.com>:
>
> 2015-05-08 0:32 GMT+02:00 Andy <an...@gmx.de>:
>
>> Yes yes whatever, you win (not that this was ever intended to be a
>> competition, you just seem to enjoy making it into one every single
>> time)... I am going to bed. Complete waste of my time. You still imply that
>> I have unsecured something?
>>
>>
> you make tomee easily identifiable compared to tomcat (= any java server of
> the web more or less). This way it is super easy to know that you can
> exploit a cxf issue for instance, thing you don't know with default header.
>
>
>> On 08/05/2015 00:26, Romain Manni-Bucau wrote:
>>
>>> not what I said.
>>>
>>> I said:
>>> 1) over exposing a variable you shouldnt activate is useless
>>> 2) we shouldnt set Apache TomEE to server variable by default
>>>
>>> Happy to replace these defaults by a server.xml.sample or anothing you
>>> judge appropriated while we stay aligned on tomcat default secured
>>> settings
>>> (also note that Apache Coyote is secured cause most of servers have it
>>> otherwise it would be as Apache TomEE)
>>>
>>>
>>>
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>> <http://rmannibucau.wordpress.com> | Github <
>>> https://github.com/rmannibucau> |
>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>> <http://www.tomitribe.com>
>>>
>>> 2015-05-08 0:24 GMT+02:00 Andy <an...@gmx.de>:
>>>
>>> Hmm, so why do you want to treat the system administrator like one?
>>>>
>>>> On 08/05/2015 00:21, Romain Manni-Bucau wrote:
>>>>
>>>> Sure security is all about children...
>>>>>
>>>>>
>>>>> Romain Manni-Bucau
>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>> https://github.com/rmannibucau> |
>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>> <http://www.tomitribe.com>
>>>>>
>>>>> 2015-05-08 0:19 GMT+02:00 Andy <an...@gmx.de>:
>>>>>
>>>>> I was just thinking 'Kindergarten', how strange...
>>>>>
>>>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
>>>>>>
>>>>>> hmm this answer doesnt make sense for me, I surely miss something but
>>>>>>
>>>>>>> read
>>>>>>> it like "hey there is this property you can switch on true but if you
>>>>>>> google you'll see you shouldn't"
>>>>>>>
>>>>>>>
>>>>>>> Romain Manni-Bucau
>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>> https://github.com/rmannibucau> |
>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>> <http://www.tomitribe.com>
>>>>>>>
>>>>>>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>
>>>>>>> This is what I said and the reason I changed it. And yes the
>>>>>>> constants
>>>>>>>
>>>>>>> have that for 'server' now, and have also had other values in the
>>>>>>>> past.
>>>>>>>>
>>>>>>>> So to be even more complete and correct myself.... changed it from
>>>>>>>> "Apache
>>>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>>>>>>>>
>>>>>>>> @Romain: "you encourage it by making it on the front of the scene."
>>>>>>>>
>>>>>>>> That's like saying I'm encouraging someone to change the 'port',
>>>>>>>> which
>>>>>>>> is
>>>>>>>> also potentially dangerous when put into the hands of an idiot.
>>>>>>>> I like, and hope, to think that exposing a property would encourage
>>>>>>>> someone to look it up before changing it blindly. The very first
>>>>>>>> google
>>>>>>>> hit
>>>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader.
>>>>>>>>
>>>>>>>> Sorry if my opinion just does not fit in on that. Another hour of my
>>>>>>>> life
>>>>>>>> wasted.
>>>>>>>>
>>>>>>>> Andy.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>>>>>>>>
>>>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>
>>>>>>>> Also, for completeness:
>>>>>>>>>
>>>>>>>>> xpoweredBy="*false*" activates nothing, if it were
>>>>>>>>>
>>>>>>>>>> xpoweredBy="*true*"
>>>>>>>>>> then maybe that might just 'activate' whatever it is you think is
>>>>>>>>>> being
>>>>>>>>>> activated here?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> you encourage it by making it on the front of the scene.
>>>>>>>>>>
>>>>>>>>>> server="*Apache TomEE*" merely changes the existing value and
>>>>>>>>>>
>>>>>>>>> also
>>>>>>>>>
>>>>>>>>> 'activates' nothing. I don't see where you think this is a
>>>>>>>>> security
>>>>>>>>>
>>>>>>>>>> issue?
>>>>>>>>>> Happy to learn though, so please point me to the specific code that
>>>>>>>>>> this
>>>>>>>>>> affects?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> it is on by default is not overrided by the app.
>>>>>>>>>>
>>>>>>>>>> Andy.
>>>>>>>>>>
>>>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>>>>>>>
>>>>>>>>>> You activated 2 different headers which is useless since we
>>>>>>>>>> change
>>>>>>>>>>
>>>>>>>>>> serverinfo by default you already get tomee here.
>>>>>>>>>>
>>>>>>>>>>> That said this is not the real issue. Doing it is a standard
>>>>>>>>>>> security
>>>>>>>>>>> issue, that is why it is off by default in tomcat so I suggest to
>>>>>>>>>>> not
>>>>>>>>>>> set
>>>>>>>>>>> it on by default
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>
>>>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>>>>
>>>>>>>>>>> Some crawlers are using that header as the evaluation.
>>>>>>>>>>> Default
>>>>>>>>>>> is
>>>>>>>>>>> Apache
>>>>>>>>>>>
>>>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE
>>>>>>>>>>> will
>>>>>>>>>>>
>>>>>>>>>>> give
>>>>>>>>>>>> us
>>>>>>>>>>>> better standing.
>>>>>>>>>>>>
>>>>>>>>>>>> Andy.
>>>>>>>>>>>>
>>>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I
>>>>>>>>>>>> wouldn't
>>>>>>>>>>>> have it
>>>>>>>>>>>>
>>>>>>>>>>>> on
>>>>>>>>>>>>
>>>>>>>>>>>> by default as a user
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
>>>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> :
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>
>>>>>>>>>>>>> What's the goal? We already switch server info,isnt it
>>>>>>>>>>>>> enough?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>
>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ---------- Forwarded message ----------
>>>>>>>>>>>>>> From: <an...@apache.org>
>>>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>>>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>>>>>>>>> To: commits@tomee.apache.org
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Repository: tomee
>>>>>>>>>>>>>> Updated Branches:
>>>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> TomEE header
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>>>>>>>>> Commit:
>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>>>>>>>>> Tree:
>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>>>>>>>>> Diff:
>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Branch: refs/heads/master
>>>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>>>>>>>>> Parents: 2c4047e
>>>>>>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2
>>>>>>>>>>>>>> +-
>>>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>>>>>>>>>>> +++++++++++++++++
>>>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>> diff --git
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>> +++
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>>>>>>>>> " <Listener
>>>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>>>>>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>>>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>>>> />\n" +
>>>>>>>>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>>>>>>>>> " <Engine name=\"Catalina\"
>>>>>>>>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>>>>>>>>> " <Host name=\"localhost\"
>>>>>>>>>>>>>> appBase=\"webapps\"\n"
>>>>>>>>>>>>>> +
>>>>>>>>>>>>>> " unpackWARs=\"true\"
>>>>>>>>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>> diff --git
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>> +++
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>>>>>>>>> InstallerInterface {
>>>>>>>>>>>>>> alerts.addError("Error while adding
>>>>>>>>>>>>>> listener to
>>>>>>>>>>>>>> server.xml
>>>>>>>>>>>>>> file", e);
>>>>>>>>>>>>>> }
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> + //Add TomEE header
>>>>>>>>>>>>>> + try {
>>>>>>>>>>>>>> + newServerXml =
>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
>>>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>>>> + "/>",
>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>>>> />");
>>>>>>>>>>>>>> +
>>>>>>>>>>>>>> + newServerXml =
>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
>>>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>>>> + "/>",
>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>>>> />");
>>>>>>>>>>>>>> + } catch (final IOException e) {
>>>>>>>>>>>>>> + alerts.addError("Error adding server attribute to
>>>>>>>>>>>>>> server.xml
>>>>>>>>>>>>>> file", e);
>>>>>>>>>>>>>> + }
>>>>>>>>>>>>>> +
>>>>>>>>>>>>>> // overwrite server.xml
>>>>>>>>>>>>>> if
>>>>>>>>>>>>>> (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>>>>>>>>> newServerXml,
>>>>>>>>>>>>>> alerts)) {
>>>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
>>>>>>>>>>>>>> server.xml");
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>
>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>
>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>> Andy Gumbrecht
>>>>>> https://twitter.com/AndyGeeDe
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>> Andy Gumbrecht
>>>> https://twitter.com/AndyGeeDe
>>>>
>>>>
>>>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
Re: tomee git commit: TomEE header
Posted by Andy <an...@gmx.de>.
...and you're still insinuating that I don't read, and have compromised
security in some way? It's just incredible how you do that!
You say you changed the server info to TomEE. Yet you look at this in
some other light? You also suggest that people who read properties in
configuration files of a server system are in some way stupid and should
therefore not be presented with options to research - I could almost go
with you on that one if the presented attribute was set to an insecure
value. I still prefer to think that others are capable of 'also' reading
security related information.
You insist across several mails that I am wrong about the 'server'
attribute and your eventual insight is a simple 'oops', and yes I agree
that 'Apache Coyote/1.1' was my mistake. However, the intention of
changing that to 'Apache TomEE' is not to serve myself in some way. The
purpose of that is to specifically advertise the use of Apache TomEE
when being trawled. This is in absolutely no way different than every
other server on the global market! I strongly believe that Apache TomEE
should be advertising itself in this way, else it will not be mentioned
in statistics. Groups collect this information and publish it on sites
across the globe - That is free advertising on a global scale, you just
can't buy that.
You suggest that 'Apache TomEE' is broken and that hackers will see this
as an invite to attack specific elements offered by certain TomEE
distributions. I would suggest that a malicious hacker is quite capable
of researching the responses of any server that they choose to attack
regardless of the distributor, else they are not a malicious hacker.
Very sorry that you see this as some kind of massive security breach? So
please feel free to revert those changes. Last words on the subject.
Andy.
Ping....
On 08/05/2015 00:43, Romain Manni-Bucau wrote:
> ...just read security documents you'll realize I don't. The
> minimumerrorvalve was not created for fun just to remove tomcat string from
> error pages!
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-05-08 0:41 GMT+02:00 Andy <an...@gmx.de>:
>
>> You're kidding right. Now you're clutching straws..... oh yea, let's add
>> the TomEE Plus. :-D
>>
>> Night.
>>
>>
>> On 08/05/2015 00:34, Romain Manni-Bucau wrote:
>>
>>> 2015-05-08 0:32 GMT+02:00 Andy <an...@gmx.de>:
>>>
>>> Yes yes whatever, you win (not that this was ever intended to be a
>>>> competition, you just seem to enjoy making it into one every single
>>>> time)... I am going to bed. Complete waste of my time. You still imply
>>>> that
>>>> I have unsecured something?
>>>>
>>>>
>>>> you make tomee easily identifiable compared to tomcat (= any java
>>> server of
>>> the web more or less). This way it is super easy to know that you can
>>> exploit a cxf issue for instance, thing you don't know with default
>>> header.
>>>
>>>
>>> On 08/05/2015 00:26, Romain Manni-Bucau wrote:
>>>> not what I said.
>>>>> I said:
>>>>> 1) over exposing a variable you shouldnt activate is useless
>>>>> 2) we shouldnt set Apache TomEE to server variable by default
>>>>>
>>>>> Happy to replace these defaults by a server.xml.sample or anothing you
>>>>> judge appropriated while we stay aligned on tomcat default secured
>>>>> settings
>>>>> (also note that Apache Coyote is secured cause most of servers have it
>>>>> otherwise it would be as Apache TomEE)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Romain Manni-Bucau
>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>> https://github.com/rmannibucau> |
>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>> <http://www.tomitribe.com>
>>>>>
>>>>> 2015-05-08 0:24 GMT+02:00 Andy <an...@gmx.de>:
>>>>>
>>>>> Hmm, so why do you want to treat the system administrator like one?
>>>>>
>>>>>> On 08/05/2015 00:21, Romain Manni-Bucau wrote:
>>>>>>
>>>>>> Sure security is all about children...
>>>>>>
>>>>>>> Romain Manni-Bucau
>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>> https://github.com/rmannibucau> |
>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>> <http://www.tomitribe.com>
>>>>>>>
>>>>>>> 2015-05-08 0:19 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>
>>>>>>> I was just thinking 'Kindergarten', how strange...
>>>>>>>
>>>>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
>>>>>>>> hmm this answer doesnt make sense for me, I surely miss something
>>>>>>>> but
>>>>>>>>
>>>>>>>> read
>>>>>>>>> it like "hey there is this property you can switch on true but if
>>>>>>>>> you
>>>>>>>>> google you'll see you shouldn't"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Romain Manni-Bucau
>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>
>>>>>>>>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>>
>>>>>>>>> This is what I said and the reason I changed it. And yes the
>>>>>>>>> constants
>>>>>>>>>
>>>>>>>>> have that for 'server' now, and have also had other values in the
>>>>>>>>>
>>>>>>>>>> past.
>>>>>>>>>>
>>>>>>>>>> So to be even more complete and correct myself.... changed it from
>>>>>>>>>> "Apache
>>>>>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>>>>>>>>>>
>>>>>>>>>> @Romain: "you encourage it by making it on the front of the scene."
>>>>>>>>>>
>>>>>>>>>> That's like saying I'm encouraging someone to change the 'port',
>>>>>>>>>> which
>>>>>>>>>> is
>>>>>>>>>> also potentially dangerous when put into the hands of an idiot.
>>>>>>>>>> I like, and hope, to think that exposing a property would encourage
>>>>>>>>>> someone to look it up before changing it blindly. The very first
>>>>>>>>>> google
>>>>>>>>>> hit
>>>>>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader.
>>>>>>>>>>
>>>>>>>>>> Sorry if my opinion just does not fit in on that. Another hour of
>>>>>>>>>> my
>>>>>>>>>> life
>>>>>>>>>> wasted.
>>>>>>>>>>
>>>>>>>>>> Andy.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>>>>>>>>>>
>>>>>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>>>
>>>>>>>>>> Also, for completeness:
>>>>>>>>>>
>>>>>>>>>>> xpoweredBy="*false*" activates nothing, if it were
>>>>>>>>>>>
>>>>>>>>>>> xpoweredBy="*true*"
>>>>>>>>>>>> then maybe that might just 'activate' whatever it is you think is
>>>>>>>>>>>> being
>>>>>>>>>>>> activated here?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> you encourage it by making it on the front of the scene.
>>>>>>>>>>>>
>>>>>>>>>>>> server="*Apache TomEE*" merely changes the existing value
>>>>>>>>>>>> and
>>>>>>>>>>>>
>>>>>>>>>>>> also
>>>>>>>>>>> 'activates' nothing. I don't see where you think this is a
>>>>>>>>>>> security
>>>>>>>>>>>
>>>>>>>>>>> issue?
>>>>>>>>>>>> Happy to learn though, so please point me to the specific code
>>>>>>>>>>>> that
>>>>>>>>>>>> this
>>>>>>>>>>>> affects?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> it is on by default is not overrided by the app.
>>>>>>>>>>>>
>>>>>>>>>>>> Andy.
>>>>>>>>>>>>
>>>>>>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>>>>>>>>> You activated 2 different headers which is useless since we
>>>>>>>>>>>> change
>>>>>>>>>>>>
>>>>>>>>>>>> serverinfo by default you already get tomee here.
>>>>>>>>>>>>
>>>>>>>>>>>> That said this is not the real issue. Doing it is a standard
>>>>>>>>>>>>> security
>>>>>>>>>>>>> issue, that is why it is off by default in tomcat so I suggest
>>>>>>>>>>>>> to
>>>>>>>>>>>>> not
>>>>>>>>>>>>> set
>>>>>>>>>>>>> it on by default
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Some crawlers are using that header as the evaluation.
>>>>>>>>>>>>> Default
>>>>>>>>>>>>> is
>>>>>>>>>>>>> Apache
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE
>>>>>>>>>>>>> will
>>>>>>>>>>>>>
>>>>>>>>>>>>> give
>>>>>>>>>>>>>
>>>>>>>>>>>>>> us
>>>>>>>>>>>>>> better standing.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Andy.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I
>>>>>>>>>>>>>> wouldn't
>>>>>>>>>>>>>> have it
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> on
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> by default as a user
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> |
>>>>>>>>>>>>>>> Tomitriber
>>>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
>>>>>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>>> What's the goal? We already switch server info,isnt it
>>>>>>>>>>>>>>> enough?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ---------- Forwarded message ----------
>>>>>>>>>>>>>>>> From: <an...@apache.org>
>>>>>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>>>>>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>>>>>>>>>>> To: commits@tomee.apache.org
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Repository: tomee
>>>>>>>>>>>>>>>> Updated Branches:
>>>>>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> TomEE header
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>>>>>>>>>>> Commit:
>>>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>>>>>>>>>>> Tree:
>>>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>>>>>>>>>>> Diff:
>>>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Branch: refs/heads/master
>>>>>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>>>>>>>>>>> Parents: 2c4047e
>>>>>>>>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>> | 2
>>>>>>>>>>>>>>>> +-
>>>>>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java |
>>>>>>>>>>>>>>>> 17
>>>>>>>>>>>>>>>> +++++++++++++++++
>>>>>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>>>> diff --git
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>> +++
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>>>>>>>>>>> " <Listener
>>>>>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n"
>>>>>>>>>>>>>>>> +
>>>>>>>>>>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>>>>>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>>>>>> />\n" +
>>>>>>>>>>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>>>>>>>>>>> " <Engine name=\"Catalina\"
>>>>>>>>>>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>>>>>>>>>>> " <Host name=\"localhost\"
>>>>>>>>>>>>>>>> appBase=\"webapps\"\n"
>>>>>>>>>>>>>>>> +
>>>>>>>>>>>>>>>> " unpackWARs=\"true\"
>>>>>>>>>>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>>>> diff --git
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>>> +++
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>>>>>>>>>>> InstallerInterface {
>>>>>>>>>>>>>>>> alerts.addError("Error while adding
>>>>>>>>>>>>>>>> listener to
>>>>>>>>>>>>>>>> server.xml
>>>>>>>>>>>>>>>> file", e);
>>>>>>>>>>>>>>>> }
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> + //Add TomEE header
>>>>>>>>>>>>>>>> + try {
>>>>>>>>>>>>>>>> + newServerXml =
>>>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
>>>>>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>>>>>> + "/>",
>>>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>>>>>> />");
>>>>>>>>>>>>>>>> +
>>>>>>>>>>>>>>>> + newServerXml =
>>>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
>>>>>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>>>>>> + "/>",
>>>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>>>>>> />");
>>>>>>>>>>>>>>>> + } catch (final IOException e) {
>>>>>>>>>>>>>>>> + alerts.addError("Error adding server attribute
>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> server.xml
>>>>>>>>>>>>>>>> file", e);
>>>>>>>>>>>>>>>> + }
>>>>>>>>>>>>>>>> +
>>>>>>>>>>>>>>>> // overwrite server.xml
>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>> (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>>>>>>>>>>> newServerXml,
>>>>>>>>>>>>>>>> alerts)) {
>>>>>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
>>>>>>>>>>>>>>>> server.xml");
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>
>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> Andy Gumbrecht
>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>> Andy Gumbrecht
>>>>>> https://twitter.com/AndyGeeDe
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>> Andy Gumbrecht
>>>> https://twitter.com/AndyGeeDe
>>>>
>>>>
>>>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
...just read security documents you'll realize I don't. The
minimumerrorvalve was not created for fun just to remove tomcat string from
error pages!
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-08 0:41 GMT+02:00 Andy <an...@gmx.de>:
> You're kidding right. Now you're clutching straws..... oh yea, let's add
> the TomEE Plus. :-D
>
> Night.
>
>
> On 08/05/2015 00:34, Romain Manni-Bucau wrote:
>
>> 2015-05-08 0:32 GMT+02:00 Andy <an...@gmx.de>:
>>
>> Yes yes whatever, you win (not that this was ever intended to be a
>>> competition, you just seem to enjoy making it into one every single
>>> time)... I am going to bed. Complete waste of my time. You still imply
>>> that
>>> I have unsecured something?
>>>
>>>
>>> you make tomee easily identifiable compared to tomcat (= any java
>> server of
>> the web more or less). This way it is super easy to know that you can
>> exploit a cxf issue for instance, thing you don't know with default
>> header.
>>
>>
>> On 08/05/2015 00:26, Romain Manni-Bucau wrote:
>>>
>>> not what I said.
>>>>
>>>> I said:
>>>> 1) over exposing a variable you shouldnt activate is useless
>>>> 2) we shouldnt set Apache TomEE to server variable by default
>>>>
>>>> Happy to replace these defaults by a server.xml.sample or anothing you
>>>> judge appropriated while we stay aligned on tomcat default secured
>>>> settings
>>>> (also note that Apache Coyote is secured cause most of servers have it
>>>> otherwise it would be as Apache TomEE)
>>>>
>>>>
>>>>
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>> <http://rmannibucau.wordpress.com> | Github <
>>>> https://github.com/rmannibucau> |
>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>> <http://www.tomitribe.com>
>>>>
>>>> 2015-05-08 0:24 GMT+02:00 Andy <an...@gmx.de>:
>>>>
>>>> Hmm, so why do you want to treat the system administrator like one?
>>>>
>>>>> On 08/05/2015 00:21, Romain Manni-Bucau wrote:
>>>>>
>>>>> Sure security is all about children...
>>>>>
>>>>>>
>>>>>> Romain Manni-Bucau
>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>> https://github.com/rmannibucau> |
>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>> <http://www.tomitribe.com>
>>>>>>
>>>>>> 2015-05-08 0:19 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>
>>>>>> I was just thinking 'Kindergarten', how strange...
>>>>>>
>>>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
>>>>>>>
>>>>>>> hmm this answer doesnt make sense for me, I surely miss something
>>>>>>> but
>>>>>>>
>>>>>>> read
>>>>>>>> it like "hey there is this property you can switch on true but if
>>>>>>>> you
>>>>>>>> google you'll see you shouldn't"
>>>>>>>>
>>>>>>>>
>>>>>>>> Romain Manni-Bucau
>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>
>>>>>>>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>
>>>>>>>> This is what I said and the reason I changed it. And yes the
>>>>>>>> constants
>>>>>>>>
>>>>>>>> have that for 'server' now, and have also had other values in the
>>>>>>>>
>>>>>>>>> past.
>>>>>>>>>
>>>>>>>>> So to be even more complete and correct myself.... changed it from
>>>>>>>>> "Apache
>>>>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>>>>>>>>>
>>>>>>>>> @Romain: "you encourage it by making it on the front of the scene."
>>>>>>>>>
>>>>>>>>> That's like saying I'm encouraging someone to change the 'port',
>>>>>>>>> which
>>>>>>>>> is
>>>>>>>>> also potentially dangerous when put into the hands of an idiot.
>>>>>>>>> I like, and hope, to think that exposing a property would encourage
>>>>>>>>> someone to look it up before changing it blindly. The very first
>>>>>>>>> google
>>>>>>>>> hit
>>>>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader.
>>>>>>>>>
>>>>>>>>> Sorry if my opinion just does not fit in on that. Another hour of
>>>>>>>>> my
>>>>>>>>> life
>>>>>>>>> wasted.
>>>>>>>>>
>>>>>>>>> Andy.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>>>>>>>>>
>>>>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>>
>>>>>>>>> Also, for completeness:
>>>>>>>>>
>>>>>>>>>> xpoweredBy="*false*" activates nothing, if it were
>>>>>>>>>>
>>>>>>>>>> xpoweredBy="*true*"
>>>>>>>>>>> then maybe that might just 'activate' whatever it is you think is
>>>>>>>>>>> being
>>>>>>>>>>> activated here?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> you encourage it by making it on the front of the scene.
>>>>>>>>>>>
>>>>>>>>>>> server="*Apache TomEE*" merely changes the existing value
>>>>>>>>>>> and
>>>>>>>>>>>
>>>>>>>>>>> also
>>>>>>>>>>
>>>>>>>>>> 'activates' nothing. I don't see where you think this is a
>>>>>>>>>> security
>>>>>>>>>>
>>>>>>>>>> issue?
>>>>>>>>>>> Happy to learn though, so please point me to the specific code
>>>>>>>>>>> that
>>>>>>>>>>> this
>>>>>>>>>>> affects?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> it is on by default is not overrided by the app.
>>>>>>>>>>>
>>>>>>>>>>> Andy.
>>>>>>>>>>>
>>>>>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>>>>>>>>
>>>>>>>>>> You activated 2 different headers which is useless since we
>>>>>>>>>>> change
>>>>>>>>>>>
>>>>>>>>>>> serverinfo by default you already get tomee here.
>>>>>>>>>>>
>>>>>>>>>>> That said this is not the real issue. Doing it is a standard
>>>>>>>>>>>> security
>>>>>>>>>>>> issue, that is why it is off by default in tomcat so I suggest
>>>>>>>>>>>> to
>>>>>>>>>>>> not
>>>>>>>>>>>> set
>>>>>>>>>>>> it on by default
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>>>>>
>>>>>>>>>>>> Some crawlers are using that header as the evaluation.
>>>>>>>>>>>> Default
>>>>>>>>>>>> is
>>>>>>>>>>>> Apache
>>>>>>>>>>>>
>>>>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE
>>>>>>>>>>>> will
>>>>>>>>>>>>
>>>>>>>>>>>> give
>>>>>>>>>>>>
>>>>>>>>>>>>> us
>>>>>>>>>>>>> better standing.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Andy.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I
>>>>>>>>>>>>> wouldn't
>>>>>>>>>>>>> have it
>>>>>>>>>>>>>
>>>>>>>>>>>>> on
>>>>>>>>>>>>>
>>>>>>>>>>>>> by default as a user
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> |
>>>>>>>>>>>>>> Tomitriber
>>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
>>>>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> What's the goal? We already switch server info,isnt it
>>>>>>>>>>>>>> enough?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ---------- Forwarded message ----------
>>>>>>>>>>>>>>> From: <an...@apache.org>
>>>>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>>>>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>>>>>>>>>> To: commits@tomee.apache.org
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Repository: tomee
>>>>>>>>>>>>>>> Updated Branches:
>>>>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> TomEE header
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>>>>>>>>>> Commit:
>>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>>>>>>>>>> Tree:
>>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>>>>>>>>>> Diff:
>>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Branch: refs/heads/master
>>>>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>>>>>>>>>> Parents: 2c4047e
>>>>>>>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>> | 2
>>>>>>>>>>>>>>> +-
>>>>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java |
>>>>>>>>>>>>>>> 17
>>>>>>>>>>>>>>> +++++++++++++++++
>>>>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>>> diff --git
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>> +++
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>>>>>>>>>> " <Listener
>>>>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n"
>>>>>>>>>>>>>>> +
>>>>>>>>>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>>>>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>>>>> />\n" +
>>>>>>>>>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>>>>>>>>>> " <Engine name=\"Catalina\"
>>>>>>>>>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>>>>>>>>>> " <Host name=\"localhost\"
>>>>>>>>>>>>>>> appBase=\"webapps\"\n"
>>>>>>>>>>>>>>> +
>>>>>>>>>>>>>>> " unpackWARs=\"true\"
>>>>>>>>>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>>> diff --git
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>> +++
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>>>>>>>>>> InstallerInterface {
>>>>>>>>>>>>>>> alerts.addError("Error while adding
>>>>>>>>>>>>>>> listener to
>>>>>>>>>>>>>>> server.xml
>>>>>>>>>>>>>>> file", e);
>>>>>>>>>>>>>>> }
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> + //Add TomEE header
>>>>>>>>>>>>>>> + try {
>>>>>>>>>>>>>>> + newServerXml =
>>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
>>>>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>>>>> + "/>",
>>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>>>>> />");
>>>>>>>>>>>>>>> +
>>>>>>>>>>>>>>> + newServerXml =
>>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
>>>>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>>>>> + "/>",
>>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>>>>> />");
>>>>>>>>>>>>>>> + } catch (final IOException e) {
>>>>>>>>>>>>>>> + alerts.addError("Error adding server attribute
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> server.xml
>>>>>>>>>>>>>>> file", e);
>>>>>>>>>>>>>>> + }
>>>>>>>>>>>>>>> +
>>>>>>>>>>>>>>> // overwrite server.xml
>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>> (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>>>>>>>>>> newServerXml,
>>>>>>>>>>>>>>> alerts)) {
>>>>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
>>>>>>>>>>>>>>> server.xml");
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>>
>>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>
>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Andy Gumbrecht
>>>>>>>>
>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>> Andy Gumbrecht
>>>>> https://twitter.com/AndyGeeDe
>>>>>
>>>>>
>>>>>
>>>>> --
>>> Andy Gumbrecht
>>> https://twitter.com/AndyGeeDe
>>>
>>>
>>>
> --
> Andy Gumbrecht
> https://twitter.com/AndyGeeDe
>
>
Re: tomee git commit: TomEE header
Posted by Andy <an...@gmx.de>.
You're kidding right. Now you're clutching straws..... oh yea, let's add
the TomEE Plus. :-D
Night.
On 08/05/2015 00:34, Romain Manni-Bucau wrote:
> 2015-05-08 0:32 GMT+02:00 Andy <an...@gmx.de>:
>
>> Yes yes whatever, you win (not that this was ever intended to be a
>> competition, you just seem to enjoy making it into one every single
>> time)... I am going to bed. Complete waste of my time. You still imply that
>> I have unsecured something?
>>
>>
> you make tomee easily identifiable compared to tomcat (= any java server of
> the web more or less). This way it is super easy to know that you can
> exploit a cxf issue for instance, thing you don't know with default header.
>
>
>> On 08/05/2015 00:26, Romain Manni-Bucau wrote:
>>
>>> not what I said.
>>>
>>> I said:
>>> 1) over exposing a variable you shouldnt activate is useless
>>> 2) we shouldnt set Apache TomEE to server variable by default
>>>
>>> Happy to replace these defaults by a server.xml.sample or anothing you
>>> judge appropriated while we stay aligned on tomcat default secured
>>> settings
>>> (also note that Apache Coyote is secured cause most of servers have it
>>> otherwise it would be as Apache TomEE)
>>>
>>>
>>>
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>> <http://rmannibucau.wordpress.com> | Github <
>>> https://github.com/rmannibucau> |
>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>> <http://www.tomitribe.com>
>>>
>>> 2015-05-08 0:24 GMT+02:00 Andy <an...@gmx.de>:
>>>
>>> Hmm, so why do you want to treat the system administrator like one?
>>>> On 08/05/2015 00:21, Romain Manni-Bucau wrote:
>>>>
>>>> Sure security is all about children...
>>>>>
>>>>> Romain Manni-Bucau
>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>> https://github.com/rmannibucau> |
>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>> <http://www.tomitribe.com>
>>>>>
>>>>> 2015-05-08 0:19 GMT+02:00 Andy <an...@gmx.de>:
>>>>>
>>>>> I was just thinking 'Kindergarten', how strange...
>>>>>
>>>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
>>>>>>
>>>>>> hmm this answer doesnt make sense for me, I surely miss something but
>>>>>>
>>>>>>> read
>>>>>>> it like "hey there is this property you can switch on true but if you
>>>>>>> google you'll see you shouldn't"
>>>>>>>
>>>>>>>
>>>>>>> Romain Manni-Bucau
>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>> https://github.com/rmannibucau> |
>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>> <http://www.tomitribe.com>
>>>>>>>
>>>>>>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>
>>>>>>> This is what I said and the reason I changed it. And yes the
>>>>>>> constants
>>>>>>>
>>>>>>> have that for 'server' now, and have also had other values in the
>>>>>>>> past.
>>>>>>>>
>>>>>>>> So to be even more complete and correct myself.... changed it from
>>>>>>>> "Apache
>>>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>>>>>>>>
>>>>>>>> @Romain: "you encourage it by making it on the front of the scene."
>>>>>>>>
>>>>>>>> That's like saying I'm encouraging someone to change the 'port',
>>>>>>>> which
>>>>>>>> is
>>>>>>>> also potentially dangerous when put into the hands of an idiot.
>>>>>>>> I like, and hope, to think that exposing a property would encourage
>>>>>>>> someone to look it up before changing it blindly. The very first
>>>>>>>> google
>>>>>>>> hit
>>>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader.
>>>>>>>>
>>>>>>>> Sorry if my opinion just does not fit in on that. Another hour of my
>>>>>>>> life
>>>>>>>> wasted.
>>>>>>>>
>>>>>>>> Andy.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>>>>>>>>
>>>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>
>>>>>>>> Also, for completeness:
>>>>>>>>> xpoweredBy="*false*" activates nothing, if it were
>>>>>>>>>
>>>>>>>>>> xpoweredBy="*true*"
>>>>>>>>>> then maybe that might just 'activate' whatever it is you think is
>>>>>>>>>> being
>>>>>>>>>> activated here?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> you encourage it by making it on the front of the scene.
>>>>>>>>>>
>>>>>>>>>> server="*Apache TomEE*" merely changes the existing value and
>>>>>>>>>>
>>>>>>>>> also
>>>>>>>>>
>>>>>>>>> 'activates' nothing. I don't see where you think this is a
>>>>>>>>> security
>>>>>>>>>
>>>>>>>>>> issue?
>>>>>>>>>> Happy to learn though, so please point me to the specific code that
>>>>>>>>>> this
>>>>>>>>>> affects?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> it is on by default is not overrided by the app.
>>>>>>>>>>
>>>>>>>>>> Andy.
>>>>>>>>>>
>>>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>>>>>>>
>>>>>>>>>> You activated 2 different headers which is useless since we
>>>>>>>>>> change
>>>>>>>>>>
>>>>>>>>>> serverinfo by default you already get tomee here.
>>>>>>>>>>
>>>>>>>>>>> That said this is not the real issue. Doing it is a standard
>>>>>>>>>>> security
>>>>>>>>>>> issue, that is why it is off by default in tomcat so I suggest to
>>>>>>>>>>> not
>>>>>>>>>>> set
>>>>>>>>>>> it on by default
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>
>>>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>>>>
>>>>>>>>>>> Some crawlers are using that header as the evaluation.
>>>>>>>>>>> Default
>>>>>>>>>>> is
>>>>>>>>>>> Apache
>>>>>>>>>>>
>>>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE
>>>>>>>>>>> will
>>>>>>>>>>>
>>>>>>>>>>> give
>>>>>>>>>>>> us
>>>>>>>>>>>> better standing.
>>>>>>>>>>>>
>>>>>>>>>>>> Andy.
>>>>>>>>>>>>
>>>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I
>>>>>>>>>>>> wouldn't
>>>>>>>>>>>> have it
>>>>>>>>>>>>
>>>>>>>>>>>> on
>>>>>>>>>>>>
>>>>>>>>>>>> by default as a user
>>>>>>>>>>>>>
>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
>>>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> :
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>
>>>>>>>>>>>>> What's the goal? We already switch server info,isnt it
>>>>>>>>>>>>> enough?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>
>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ---------- Forwarded message ----------
>>>>>>>>>>>>>> From: <an...@apache.org>
>>>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>>>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>>>>>>>>> To: commits@tomee.apache.org
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Repository: tomee
>>>>>>>>>>>>>> Updated Branches:
>>>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> TomEE header
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>>>>>>>>> Commit:
>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>>>>>>>>> Tree:
>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>>>>>>>>> Diff:
>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Branch: refs/heads/master
>>>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>>>>>>>>> Parents: 2c4047e
>>>>>>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2
>>>>>>>>>>>>>> +-
>>>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>>>>>>>>>>> +++++++++++++++++
>>>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>> diff --git
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>> +++
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>>>>>>>>> " <Listener
>>>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>>>>>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>>>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>>>> />\n" +
>>>>>>>>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>>>>>>>>> " <Engine name=\"Catalina\"
>>>>>>>>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>>>>>>>>> " <Host name=\"localhost\"
>>>>>>>>>>>>>> appBase=\"webapps\"\n"
>>>>>>>>>>>>>> +
>>>>>>>>>>>>>> " unpackWARs=\"true\"
>>>>>>>>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>> diff --git
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>> +++
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>>>>>>>>> InstallerInterface {
>>>>>>>>>>>>>> alerts.addError("Error while adding
>>>>>>>>>>>>>> listener to
>>>>>>>>>>>>>> server.xml
>>>>>>>>>>>>>> file", e);
>>>>>>>>>>>>>> }
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> + //Add TomEE header
>>>>>>>>>>>>>> + try {
>>>>>>>>>>>>>> + newServerXml =
>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
>>>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>>>> + "/>",
>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>>>> />");
>>>>>>>>>>>>>> +
>>>>>>>>>>>>>> + newServerXml =
>>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
>>>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>>>> + "/>",
>>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>>>> />");
>>>>>>>>>>>>>> + } catch (final IOException e) {
>>>>>>>>>>>>>> + alerts.addError("Error adding server attribute to
>>>>>>>>>>>>>> server.xml
>>>>>>>>>>>>>> file", e);
>>>>>>>>>>>>>> + }
>>>>>>>>>>>>>> +
>>>>>>>>>>>>>> // overwrite server.xml
>>>>>>>>>>>>>> if
>>>>>>>>>>>>>> (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>>>>>>>>> newServerXml,
>>>>>>>>>>>>>> alerts)) {
>>>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
>>>>>>>>>>>>>> server.xml");
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>
>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> Andy Gumbrecht
>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>> Andy Gumbrecht
>>>>>> https://twitter.com/AndyGeeDe
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>> Andy Gumbrecht
>>>> https://twitter.com/AndyGeeDe
>>>>
>>>>
>>>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
2015-05-08 0:32 GMT+02:00 Andy <an...@gmx.de>:
> Yes yes whatever, you win (not that this was ever intended to be a
> competition, you just seem to enjoy making it into one every single
> time)... I am going to bed. Complete waste of my time. You still imply that
> I have unsecured something?
>
>
you make tomee easily identifiable compared to tomcat (= any java server of
the web more or less). This way it is super easy to know that you can
exploit a cxf issue for instance, thing you don't know with default header.
> On 08/05/2015 00:26, Romain Manni-Bucau wrote:
>
>> not what I said.
>>
>> I said:
>> 1) over exposing a variable you shouldnt activate is useless
>> 2) we shouldnt set Apache TomEE to server variable by default
>>
>> Happy to replace these defaults by a server.xml.sample or anothing you
>> judge appropriated while we stay aligned on tomcat default secured
>> settings
>> (also note that Apache Coyote is secured cause most of servers have it
>> otherwise it would be as Apache TomEE)
>>
>>
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> <http://www.tomitribe.com>
>>
>> 2015-05-08 0:24 GMT+02:00 Andy <an...@gmx.de>:
>>
>> Hmm, so why do you want to treat the system administrator like one?
>>>
>>> On 08/05/2015 00:21, Romain Manni-Bucau wrote:
>>>
>>> Sure security is all about children...
>>>>
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>> <http://rmannibucau.wordpress.com> | Github <
>>>> https://github.com/rmannibucau> |
>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>> <http://www.tomitribe.com>
>>>>
>>>> 2015-05-08 0:19 GMT+02:00 Andy <an...@gmx.de>:
>>>>
>>>> I was just thinking 'Kindergarten', how strange...
>>>>
>>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
>>>>>
>>>>> hmm this answer doesnt make sense for me, I surely miss something but
>>>>>
>>>>>> read
>>>>>> it like "hey there is this property you can switch on true but if you
>>>>>> google you'll see you shouldn't"
>>>>>>
>>>>>>
>>>>>> Romain Manni-Bucau
>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>> https://github.com/rmannibucau> |
>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>> <http://www.tomitribe.com>
>>>>>>
>>>>>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>
>>>>>> This is what I said and the reason I changed it. And yes the
>>>>>> constants
>>>>>>
>>>>>> have that for 'server' now, and have also had other values in the
>>>>>>> past.
>>>>>>>
>>>>>>> So to be even more complete and correct myself.... changed it from
>>>>>>> "Apache
>>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>>>>>>>
>>>>>>> @Romain: "you encourage it by making it on the front of the scene."
>>>>>>>
>>>>>>> That's like saying I'm encouraging someone to change the 'port',
>>>>>>> which
>>>>>>> is
>>>>>>> also potentially dangerous when put into the hands of an idiot.
>>>>>>> I like, and hope, to think that exposing a property would encourage
>>>>>>> someone to look it up before changing it blindly. The very first
>>>>>>> google
>>>>>>> hit
>>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader.
>>>>>>>
>>>>>>> Sorry if my opinion just does not fit in on that. Another hour of my
>>>>>>> life
>>>>>>> wasted.
>>>>>>>
>>>>>>> Andy.
>>>>>>>
>>>>>>>
>>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>>>>>>>
>>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>
>>>>>>> Also, for completeness:
>>>>>>>>
>>>>>>>> xpoweredBy="*false*" activates nothing, if it were
>>>>>>>>
>>>>>>>>> xpoweredBy="*true*"
>>>>>>>>> then maybe that might just 'activate' whatever it is you think is
>>>>>>>>> being
>>>>>>>>> activated here?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> you encourage it by making it on the front of the scene.
>>>>>>>>>
>>>>>>>>> server="*Apache TomEE*" merely changes the existing value and
>>>>>>>>>
>>>>>>>> also
>>>>>>>>
>>>>>>>> 'activates' nothing. I don't see where you think this is a
>>>>>>>> security
>>>>>>>>
>>>>>>>>> issue?
>>>>>>>>> Happy to learn though, so please point me to the specific code that
>>>>>>>>> this
>>>>>>>>> affects?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> it is on by default is not overrided by the app.
>>>>>>>>>
>>>>>>>>> Andy.
>>>>>>>>>
>>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>>>>>>
>>>>>>>>> You activated 2 different headers which is useless since we
>>>>>>>>> change
>>>>>>>>>
>>>>>>>>> serverinfo by default you already get tomee here.
>>>>>>>>>
>>>>>>>>>> That said this is not the real issue. Doing it is a standard
>>>>>>>>>> security
>>>>>>>>>> issue, that is why it is off by default in tomcat so I suggest to
>>>>>>>>>> not
>>>>>>>>>> set
>>>>>>>>>> it on by default
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>
>>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>>>
>>>>>>>>>> Some crawlers are using that header as the evaluation.
>>>>>>>>>> Default
>>>>>>>>>> is
>>>>>>>>>> Apache
>>>>>>>>>>
>>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE
>>>>>>>>>> will
>>>>>>>>>>
>>>>>>>>>> give
>>>>>>>>>>> us
>>>>>>>>>>> better standing.
>>>>>>>>>>>
>>>>>>>>>>> Andy.
>>>>>>>>>>>
>>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>>>>>>>
>>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I
>>>>>>>>>>> wouldn't
>>>>>>>>>>> have it
>>>>>>>>>>>
>>>>>>>>>>> on
>>>>>>>>>>>
>>>>>>>>>>> by default as a user
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
>>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>
>>>>>>>>>>>> :
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>
>>>>>>>>>>>> What's the goal? We already switch server info,isnt it
>>>>>>>>>>>> enough?
>>>>>>>>>>>>
>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>
>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ---------- Forwarded message ----------
>>>>>>>>>>>>> From: <an...@apache.org>
>>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>>>>>>>> To: commits@tomee.apache.org
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Repository: tomee
>>>>>>>>>>>>> Updated Branches:
>>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> TomEE header
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>>>>>>>> Commit:
>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>>>>>>>> Tree:
>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>>>>>>>> Diff:
>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>>>>>>>
>>>>>>>>>>>>> Branch: refs/heads/master
>>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>>>>>>>> Parents: 2c4047e
>>>>>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2
>>>>>>>>>>>>> +-
>>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>>>>>>>>>> +++++++++++++++++
>>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>> diff --git
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>>>>>>>> ---
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>> +++
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>>>>>>>> " <Listener
>>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>>>>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>>> />\n" +
>>>>>>>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>>>>>>>> " <Engine name=\"Catalina\"
>>>>>>>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>>>>>>>> " <Host name=\"localhost\"
>>>>>>>>>>>>> appBase=\"webapps\"\n"
>>>>>>>>>>>>> +
>>>>>>>>>>>>> " unpackWARs=\"true\"
>>>>>>>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>> diff --git
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>>>>>>>> ---
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>> +++
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>>>>>>>> InstallerInterface {
>>>>>>>>>>>>> alerts.addError("Error while adding
>>>>>>>>>>>>> listener to
>>>>>>>>>>>>> server.xml
>>>>>>>>>>>>> file", e);
>>>>>>>>>>>>> }
>>>>>>>>>>>>>
>>>>>>>>>>>>> + //Add TomEE header
>>>>>>>>>>>>> + try {
>>>>>>>>>>>>> + newServerXml =
>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
>>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>>> + "/>",
>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>>> />");
>>>>>>>>>>>>> +
>>>>>>>>>>>>> + newServerXml =
>>>>>>>>>>>>> Installers.replace(serverXmlOriginal,
>>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>>> + "/>",
>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>>> />");
>>>>>>>>>>>>> + } catch (final IOException e) {
>>>>>>>>>>>>> + alerts.addError("Error adding server attribute to
>>>>>>>>>>>>> server.xml
>>>>>>>>>>>>> file", e);
>>>>>>>>>>>>> + }
>>>>>>>>>>>>> +
>>>>>>>>>>>>> // overwrite server.xml
>>>>>>>>>>>>> if
>>>>>>>>>>>>> (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>>>>>>>> newServerXml,
>>>>>>>>>>>>> alerts)) {
>>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
>>>>>>>>>>>>> server.xml");
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>>
>>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>
>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Andy Gumbrecht
>>>>>>>>
>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>> Andy Gumbrecht
>>>>> https://twitter.com/AndyGeeDe
>>>>>
>>>>>
>>>>>
>>>>> --
>>> Andy Gumbrecht
>>> https://twitter.com/AndyGeeDe
>>>
>>>
>>>
> --
> Andy Gumbrecht
> https://twitter.com/AndyGeeDe
>
>
Re: tomee git commit: TomEE header
Posted by Andy <an...@gmx.de>.
Yes yes whatever, you win (not that this was ever intended to be a
competition, you just seem to enjoy making it into one every single
time)... I am going to bed. Complete waste of my time. You still imply
that I have unsecured something?
On 08/05/2015 00:26, Romain Manni-Bucau wrote:
> not what I said.
>
> I said:
> 1) over exposing a variable you shouldnt activate is useless
> 2) we shouldnt set Apache TomEE to server variable by default
>
> Happy to replace these defaults by a server.xml.sample or anothing you
> judge appropriated while we stay aligned on tomcat default secured settings
> (also note that Apache Coyote is secured cause most of servers have it
> otherwise it would be as Apache TomEE)
>
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-05-08 0:24 GMT+02:00 Andy <an...@gmx.de>:
>
>> Hmm, so why do you want to treat the system administrator like one?
>>
>> On 08/05/2015 00:21, Romain Manni-Bucau wrote:
>>
>>> Sure security is all about children...
>>>
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>> <http://rmannibucau.wordpress.com> | Github <
>>> https://github.com/rmannibucau> |
>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>> <http://www.tomitribe.com>
>>>
>>> 2015-05-08 0:19 GMT+02:00 Andy <an...@gmx.de>:
>>>
>>> I was just thinking 'Kindergarten', how strange...
>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
>>>>
>>>> hmm this answer doesnt make sense for me, I surely miss something but
>>>>> read
>>>>> it like "hey there is this property you can switch on true but if you
>>>>> google you'll see you shouldn't"
>>>>>
>>>>>
>>>>> Romain Manni-Bucau
>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>> https://github.com/rmannibucau> |
>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>> <http://www.tomitribe.com>
>>>>>
>>>>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
>>>>>
>>>>> This is what I said and the reason I changed it. And yes the constants
>>>>>
>>>>>> have that for 'server' now, and have also had other values in the past.
>>>>>>
>>>>>> So to be even more complete and correct myself.... changed it from
>>>>>> "Apache
>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>>>>>>
>>>>>> @Romain: "you encourage it by making it on the front of the scene."
>>>>>>
>>>>>> That's like saying I'm encouraging someone to change the 'port', which
>>>>>> is
>>>>>> also potentially dangerous when put into the hands of an idiot.
>>>>>> I like, and hope, to think that exposing a property would encourage
>>>>>> someone to look it up before changing it blindly. The very first google
>>>>>> hit
>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader.
>>>>>>
>>>>>> Sorry if my opinion just does not fit in on that. Another hour of my
>>>>>> life
>>>>>> wasted.
>>>>>>
>>>>>> Andy.
>>>>>>
>>>>>>
>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>>>>>>
>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>
>>>>>>> Also, for completeness:
>>>>>>>
>>>>>>> xpoweredBy="*false*" activates nothing, if it were
>>>>>>>> xpoweredBy="*true*"
>>>>>>>> then maybe that might just 'activate' whatever it is you think is
>>>>>>>> being
>>>>>>>> activated here?
>>>>>>>>
>>>>>>>>
>>>>>>>> you encourage it by making it on the front of the scene.
>>>>>>>>
>>>>>>>> server="*Apache TomEE*" merely changes the existing value and
>>>>>>> also
>>>>>>>
>>>>>>> 'activates' nothing. I don't see where you think this is a security
>>>>>>>> issue?
>>>>>>>> Happy to learn though, so please point me to the specific code that
>>>>>>>> this
>>>>>>>> affects?
>>>>>>>>
>>>>>>>>
>>>>>>>> it is on by default is not overrided by the app.
>>>>>>>>
>>>>>>>> Andy.
>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>>>>>> You activated 2 different headers which is useless since we change
>>>>>>>>
>>>>>>>> serverinfo by default you already get tomee here.
>>>>>>>>> That said this is not the real issue. Doing it is a standard
>>>>>>>>> security
>>>>>>>>> issue, that is why it is off by default in tomcat so I suggest to
>>>>>>>>> not
>>>>>>>>> set
>>>>>>>>> it on by default
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Romain Manni-Bucau
>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>
>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>>
>>>>>>>>> Some crawlers are using that header as the evaluation. Default
>>>>>>>>> is
>>>>>>>>> Apache
>>>>>>>>>
>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will
>>>>>>>>>
>>>>>>>>>> give
>>>>>>>>>> us
>>>>>>>>>> better standing.
>>>>>>>>>>
>>>>>>>>>> Andy.
>>>>>>>>>>
>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>>>>>>
>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I
>>>>>>>>>> wouldn't
>>>>>>>>>> have it
>>>>>>>>>>
>>>>>>>>>> on
>>>>>>>>>>
>>>>>>>>>>> by default as a user
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>
>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>
>>>>>>>>>>> :
>>>>>>>>>>>> Hi
>>>>>>>>>>> What's the goal? We already switch server info,isnt it enough?
>>>>>>>>>>>
>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ---------- Forwarded message ----------
>>>>>>>>>>>> From: <an...@apache.org>
>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>>>>>>> To: commits@tomee.apache.org
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Repository: tomee
>>>>>>>>>>>> Updated Branches:
>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> TomEE header
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>>>>>>> Commit:
>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>>>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>>>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>>>>>>
>>>>>>>>>>>> Branch: refs/heads/master
>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>>>>>>> Parents: 2c4047e
>>>>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>>>>>>>>> +++++++++++++++++
>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>> diff --git
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>>>>>>> ---
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>> +++
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>>>>>>> " <Listener
>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>>>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>> />\n" +
>>>>>>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>>>>>>> " <Engine name=\"Catalina\"
>>>>>>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>>>>>>> " <Host name=\"localhost\"
>>>>>>>>>>>> appBase=\"webapps\"\n"
>>>>>>>>>>>> +
>>>>>>>>>>>> " unpackWARs=\"true\"
>>>>>>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>> diff --git
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>>>>>>> ---
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>> +++
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>>>>>>> InstallerInterface {
>>>>>>>>>>>> alerts.addError("Error while adding listener to
>>>>>>>>>>>> server.xml
>>>>>>>>>>>> file", e);
>>>>>>>>>>>> }
>>>>>>>>>>>>
>>>>>>>>>>>> + //Add TomEE header
>>>>>>>>>>>> + try {
>>>>>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>>> + "/>",
>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>> />");
>>>>>>>>>>>> +
>>>>>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>>> + "/>",
>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>>> TomEE\"
>>>>>>>>>>>> />");
>>>>>>>>>>>> + } catch (final IOException e) {
>>>>>>>>>>>> + alerts.addError("Error adding server attribute to
>>>>>>>>>>>> server.xml
>>>>>>>>>>>> file", e);
>>>>>>>>>>>> + }
>>>>>>>>>>>> +
>>>>>>>>>>>> // overwrite server.xml
>>>>>>>>>>>> if (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>>>>>>> newServerXml,
>>>>>>>>>>>> alerts)) {
>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
>>>>>>>>>>>> server.xml");
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>>
>>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> Andy Gumbrecht
>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>> Andy Gumbrecht
>>>>>> https://twitter.com/AndyGeeDe
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>> Andy Gumbrecht
>>>> https://twitter.com/AndyGeeDe
>>>>
>>>>
>>>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
not what I said.
I said:
1) over exposing a variable you shouldnt activate is useless
2) we shouldnt set Apache TomEE to server variable by default
Happy to replace these defaults by a server.xml.sample or anothing you
judge appropriated while we stay aligned on tomcat default secured settings
(also note that Apache Coyote is secured cause most of servers have it
otherwise it would be as Apache TomEE)
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-08 0:24 GMT+02:00 Andy <an...@gmx.de>:
> Hmm, so why do you want to treat the system administrator like one?
>
> On 08/05/2015 00:21, Romain Manni-Bucau wrote:
>
>> Sure security is all about children...
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> <http://www.tomitribe.com>
>>
>> 2015-05-08 0:19 GMT+02:00 Andy <an...@gmx.de>:
>>
>> I was just thinking 'Kindergarten', how strange...
>>>
>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
>>>
>>> hmm this answer doesnt make sense for me, I surely miss something but
>>>> read
>>>> it like "hey there is this property you can switch on true but if you
>>>> google you'll see you shouldn't"
>>>>
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>> <http://rmannibucau.wordpress.com> | Github <
>>>> https://github.com/rmannibucau> |
>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>> <http://www.tomitribe.com>
>>>>
>>>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
>>>>
>>>> This is what I said and the reason I changed it. And yes the constants
>>>>
>>>>> have that for 'server' now, and have also had other values in the past.
>>>>>
>>>>> So to be even more complete and correct myself.... changed it from
>>>>> "Apache
>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>>>>>
>>>>> @Romain: "you encourage it by making it on the front of the scene."
>>>>>
>>>>> That's like saying I'm encouraging someone to change the 'port', which
>>>>> is
>>>>> also potentially dangerous when put into the hands of an idiot.
>>>>> I like, and hope, to think that exposing a property would encourage
>>>>> someone to look it up before changing it blindly. The very first google
>>>>> hit
>>>>> on 'xpoweredBy' will enlighten even the most fickle reader.
>>>>>
>>>>> Sorry if my opinion just does not fit in on that. Another hour of my
>>>>> life
>>>>> wasted.
>>>>>
>>>>> Andy.
>>>>>
>>>>>
>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>>>>>
>>>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>>>>
>>>>>> Also, for completeness:
>>>>>>
>>>>>> xpoweredBy="*false*" activates nothing, if it were
>>>>>>> xpoweredBy="*true*"
>>>>>>> then maybe that might just 'activate' whatever it is you think is
>>>>>>> being
>>>>>>> activated here?
>>>>>>>
>>>>>>>
>>>>>>> you encourage it by making it on the front of the scene.
>>>>>>>
>>>>>>> server="*Apache TomEE*" merely changes the existing value and
>>>>>> also
>>>>>>
>>>>>> 'activates' nothing. I don't see where you think this is a security
>>>>>>> issue?
>>>>>>> Happy to learn though, so please point me to the specific code that
>>>>>>> this
>>>>>>> affects?
>>>>>>>
>>>>>>>
>>>>>>> it is on by default is not overrided by the app.
>>>>>>>
>>>>>>> Andy.
>>>>>>
>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>>>>>
>>>>>>> You activated 2 different headers which is useless since we change
>>>>>>>
>>>>>>> serverinfo by default you already get tomee here.
>>>>>>>>
>>>>>>>> That said this is not the real issue. Doing it is a standard
>>>>>>>> security
>>>>>>>> issue, that is why it is off by default in tomcat so I suggest to
>>>>>>>> not
>>>>>>>> set
>>>>>>>> it on by default
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Romain Manni-Bucau
>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>
>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>>
>>>>>>>> Some crawlers are using that header as the evaluation. Default
>>>>>>>> is
>>>>>>>> Apache
>>>>>>>>
>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will
>>>>>>>>
>>>>>>>>> give
>>>>>>>>> us
>>>>>>>>> better standing.
>>>>>>>>>
>>>>>>>>> Andy.
>>>>>>>>>
>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>>>>>
>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I
>>>>>>>>> wouldn't
>>>>>>>>> have it
>>>>>>>>>
>>>>>>>>> on
>>>>>>>>>
>>>>>>>>>> by default as a user
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>
>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>
>>>>>>>>>> :
>>>>>>>>>>>
>>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> What's the goal? We already switch server info,isnt it enough?
>>>>>>>>>>
>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ---------- Forwarded message ----------
>>>>>>>>>>> From: <an...@apache.org>
>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>>>>>> To: commits@tomee.apache.org
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Repository: tomee
>>>>>>>>>>> Updated Branches:
>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> TomEE header
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>>>>>> Commit:
>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>>>>>
>>>>>>>>>>> Branch: refs/heads/master
>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>>>>>> Parents: 2c4047e
>>>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>>>>>>>> +++++++++++++++++
>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>> diff --git
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>>>>>> ---
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>> +++
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>>>>>> " <Listener
>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>> />\n" +
>>>>>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>>>>>> " <Engine name=\"Catalina\"
>>>>>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>>>>>> " <Host name=\"localhost\"
>>>>>>>>>>> appBase=\"webapps\"\n"
>>>>>>>>>>> +
>>>>>>>>>>> " unpackWARs=\"true\"
>>>>>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>> diff --git
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>>>>>> ---
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>> +++
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>>>>>> InstallerInterface {
>>>>>>>>>>> alerts.addError("Error while adding listener to
>>>>>>>>>>> server.xml
>>>>>>>>>>> file", e);
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>> + //Add TomEE header
>>>>>>>>>>> + try {
>>>>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>>> + "/>",
>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>> TomEE\"
>>>>>>>>>>> />");
>>>>>>>>>>> +
>>>>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>>> + "/>",
>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache
>>>>>>>>>>> TomEE\"
>>>>>>>>>>> />");
>>>>>>>>>>> + } catch (final IOException e) {
>>>>>>>>>>> + alerts.addError("Error adding server attribute to
>>>>>>>>>>> server.xml
>>>>>>>>>>> file", e);
>>>>>>>>>>> + }
>>>>>>>>>>> +
>>>>>>>>>>> // overwrite server.xml
>>>>>>>>>>> if (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>>>>>> newServerXml,
>>>>>>>>>>> alerts)) {
>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
>>>>>>>>>>> server.xml");
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>> Andy Gumbrecht
>>>>>>>>>>>
>>>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Andy Gumbrecht
>>>>>>>>
>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>> Andy Gumbrecht
>>>>> https://twitter.com/AndyGeeDe
>>>>>
>>>>>
>>>>>
>>>>> --
>>> Andy Gumbrecht
>>> https://twitter.com/AndyGeeDe
>>>
>>>
>>>
> --
> Andy Gumbrecht
> https://twitter.com/AndyGeeDe
>
>
Re: tomee git commit: TomEE header
Posted by Andy <an...@gmx.de>.
Hmm, so why do you want to treat the system administrator like one?
On 08/05/2015 00:21, Romain Manni-Bucau wrote:
> Sure security is all about children...
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-05-08 0:19 GMT+02:00 Andy <an...@gmx.de>:
>
>> I was just thinking 'Kindergarten', how strange...
>>
>> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
>>
>>> hmm this answer doesnt make sense for me, I surely miss something but read
>>> it like "hey there is this property you can switch on true but if you
>>> google you'll see you shouldn't"
>>>
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>> <http://rmannibucau.wordpress.com> | Github <
>>> https://github.com/rmannibucau> |
>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>> <http://www.tomitribe.com>
>>>
>>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
>>>
>>> This is what I said and the reason I changed it. And yes the constants
>>>> have that for 'server' now, and have also had other values in the past.
>>>>
>>>> So to be even more complete and correct myself.... changed it from
>>>> "Apache
>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>>>>
>>>> @Romain: "you encourage it by making it on the front of the scene."
>>>>
>>>> That's like saying I'm encouraging someone to change the 'port', which is
>>>> also potentially dangerous when put into the hands of an idiot.
>>>> I like, and hope, to think that exposing a property would encourage
>>>> someone to look it up before changing it blindly. The very first google
>>>> hit
>>>> on 'xpoweredBy' will enlighten even the most fickle reader.
>>>>
>>>> Sorry if my opinion just does not fit in on that. Another hour of my life
>>>> wasted.
>>>>
>>>> Andy.
>>>>
>>>>
>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>>>>
>>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>>>> Also, for completeness:
>>>>>
>>>>>> xpoweredBy="*false*" activates nothing, if it were xpoweredBy="*true*"
>>>>>> then maybe that might just 'activate' whatever it is you think is being
>>>>>> activated here?
>>>>>>
>>>>>>
>>>>>> you encourage it by making it on the front of the scene.
>>>>>>
>>>>> server="*Apache TomEE*" merely changes the existing value and also
>>>>>
>>>>>> 'activates' nothing. I don't see where you think this is a security
>>>>>> issue?
>>>>>> Happy to learn though, so please point me to the specific code that
>>>>>> this
>>>>>> affects?
>>>>>>
>>>>>>
>>>>>> it is on by default is not overrided by the app.
>>>>>>
>>>>> Andy.
>>>>>
>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>>>>
>>>>>> You activated 2 different headers which is useless since we change
>>>>>>
>>>>>>> serverinfo by default you already get tomee here.
>>>>>>>
>>>>>>> That said this is not the real issue. Doing it is a standard security
>>>>>>> issue, that is why it is off by default in tomcat so I suggest to not
>>>>>>> set
>>>>>>> it on by default
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Romain Manni-Bucau
>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>> https://github.com/rmannibucau> |
>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>> <http://www.tomitribe.com>
>>>>>>>
>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>>
>>>>>>> Some crawlers are using that header as the evaluation. Default is
>>>>>>> Apache
>>>>>>>
>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will
>>>>>>>> give
>>>>>>>> us
>>>>>>>> better standing.
>>>>>>>>
>>>>>>>> Andy.
>>>>>>>>
>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>>>>
>>>>>>>> PS (sorry hit enter without wishing it): asking cause I wouldn't
>>>>>>>> have it
>>>>>>>>
>>>>>>>> on
>>>>>>>>> by default as a user
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Romain Manni-Bucau
>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>
>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>
>>>>>>>>>> :
>>>>>>>>>>
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> What's the goal? We already switch server info,isnt it enough?
>>>>>>>>>
>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ---------- Forwarded message ----------
>>>>>>>>>> From: <an...@apache.org>
>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>>>>> To: commits@tomee.apache.org
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Repository: tomee
>>>>>>>>>> Updated Branches:
>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> TomEE header
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>>>>> Commit:
>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>>>>
>>>>>>>>>> Branch: refs/heads/master
>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>>>>> Parents: 2c4047e
>>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>>>>>>> +++++++++++++++++
>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>> diff --git
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>>>>> ---
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>> +++
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>>>>> " <Listener
>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>> />\n" +
>>>>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>>>>> " <Engine name=\"Catalina\"
>>>>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>>>>> " <Host name=\"localhost\"
>>>>>>>>>> appBase=\"webapps\"\n"
>>>>>>>>>> +
>>>>>>>>>> " unpackWARs=\"true\"
>>>>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>> diff --git
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>>>>> ---
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>> +++
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>>>>> InstallerInterface {
>>>>>>>>>> alerts.addError("Error while adding listener to
>>>>>>>>>> server.xml
>>>>>>>>>> file", e);
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> + //Add TomEE header
>>>>>>>>>> + try {
>>>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>>> + "/>",
>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>>>>>>> />");
>>>>>>>>>> +
>>>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>>> + "/>",
>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>>>>>>> />");
>>>>>>>>>> + } catch (final IOException e) {
>>>>>>>>>> + alerts.addError("Error adding server attribute to
>>>>>>>>>> server.xml
>>>>>>>>>> file", e);
>>>>>>>>>> + }
>>>>>>>>>> +
>>>>>>>>>> // overwrite server.xml
>>>>>>>>>> if (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>>>>> newServerXml,
>>>>>>>>>> alerts)) {
>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
>>>>>>>>>> server.xml");
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> Andy Gumbrecht
>>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>> Andy Gumbrecht
>>>>>> https://twitter.com/AndyGeeDe
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>> Andy Gumbrecht
>>>> https://twitter.com/AndyGeeDe
>>>>
>>>>
>>>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Sure security is all about children...
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-08 0:19 GMT+02:00 Andy <an...@gmx.de>:
> I was just thinking 'Kindergarten', how strange...
>
> On 08/05/2015 00:17, Romain Manni-Bucau wrote:
>
>> hmm this answer doesnt make sense for me, I surely miss something but read
>> it like "hey there is this property you can switch on true but if you
>> google you'll see you shouldn't"
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> <http://www.tomitribe.com>
>>
>> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
>>
>> This is what I said and the reason I changed it. And yes the constants
>>> have that for 'server' now, and have also had other values in the past.
>>>
>>> So to be even more complete and correct myself.... changed it from
>>> "Apache
>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>>>
>>> @Romain: "you encourage it by making it on the front of the scene."
>>>
>>> That's like saying I'm encouraging someone to change the 'port', which is
>>> also potentially dangerous when put into the hands of an idiot.
>>> I like, and hope, to think that exposing a property would encourage
>>> someone to look it up before changing it blindly. The very first google
>>> hit
>>> on 'xpoweredBy' will enlighten even the most fickle reader.
>>>
>>> Sorry if my opinion just does not fit in on that. Another hour of my life
>>> wasted.
>>>
>>> Andy.
>>>
>>>
>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>>>
>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>>>
>>>> Also, for completeness:
>>>>
>>>>> xpoweredBy="*false*" activates nothing, if it were xpoweredBy="*true*"
>>>>> then maybe that might just 'activate' whatever it is you think is being
>>>>> activated here?
>>>>>
>>>>>
>>>>> you encourage it by making it on the front of the scene.
>>>>>
>>>>
>>>> server="*Apache TomEE*" merely changes the existing value and also
>>>>
>>>>> 'activates' nothing. I don't see where you think this is a security
>>>>> issue?
>>>>> Happy to learn though, so please point me to the specific code that
>>>>> this
>>>>> affects?
>>>>>
>>>>>
>>>>> it is on by default is not overrided by the app.
>>>>>
>>>>
>>>> Andy.
>>>>
>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>>>
>>>>> You activated 2 different headers which is useless since we change
>>>>>
>>>>>> serverinfo by default you already get tomee here.
>>>>>>
>>>>>> That said this is not the real issue. Doing it is a standard security
>>>>>> issue, that is why it is off by default in tomcat so I suggest to not
>>>>>> set
>>>>>> it on by default
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Romain Manni-Bucau
>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>> https://github.com/rmannibucau> |
>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>> <http://www.tomitribe.com>
>>>>>>
>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>>>
>>>>>> Some crawlers are using that header as the evaluation. Default is
>>>>>> Apache
>>>>>>
>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will
>>>>>>> give
>>>>>>> us
>>>>>>> better standing.
>>>>>>>
>>>>>>> Andy.
>>>>>>>
>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>>>
>>>>>>> PS (sorry hit enter without wishing it): asking cause I wouldn't
>>>>>>> have it
>>>>>>>
>>>>>>> on
>>>>>>>> by default as a user
>>>>>>>>
>>>>>>>>
>>>>>>>> Romain Manni-Bucau
>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>
>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <
>>>>>>>> rmannibucau@gmail.com
>>>>>>>>
>>>>>>>>> :
>>>>>>>>>
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> What's the goal? We already switch server info,isnt it enough?
>>>>>>>>
>>>>>>>>> Romain Manni-Bucau
>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ---------- Forwarded message ----------
>>>>>>>>> From: <an...@apache.org>
>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>>>> To: commits@tomee.apache.org
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Repository: tomee
>>>>>>>>> Updated Branches:
>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> TomEE header
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>>>> Commit:
>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>>>
>>>>>>>>> Branch: refs/heads/master
>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>>>> Parents: 2c4047e
>>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>>>>>> +++++++++++++++++
>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>> diff --git
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>>>> ---
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>> +++
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>>>> " <Listener
>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>> />\n" +
>>>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>>>> " <Engine name=\"Catalina\"
>>>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>>>> " <Host name=\"localhost\"
>>>>>>>>> appBase=\"webapps\"\n"
>>>>>>>>> +
>>>>>>>>> " unpackWARs=\"true\"
>>>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>> diff --git
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>>>> ---
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>> +++
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>>>> InstallerInterface {
>>>>>>>>> alerts.addError("Error while adding listener to
>>>>>>>>> server.xml
>>>>>>>>> file", e);
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> + //Add TomEE header
>>>>>>>>> + try {
>>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>>> + "/>",
>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>>>>>> />");
>>>>>>>>> +
>>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>>> + "/>",
>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>>>>>> />");
>>>>>>>>> + } catch (final IOException e) {
>>>>>>>>> + alerts.addError("Error adding server attribute to
>>>>>>>>> server.xml
>>>>>>>>> file", e);
>>>>>>>>> + }
>>>>>>>>> +
>>>>>>>>> // overwrite server.xml
>>>>>>>>> if (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>>>> newServerXml,
>>>>>>>>> alerts)) {
>>>>>>>>> alerts.addInfo("Add OpenEJB listener to
>>>>>>>>> server.xml");
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Andy Gumbrecht
>>>>>>>>
>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>> Andy Gumbrecht
>>>>> https://twitter.com/AndyGeeDe
>>>>>
>>>>>
>>>>>
>>>>> --
>>> Andy Gumbrecht
>>> https://twitter.com/AndyGeeDe
>>>
>>>
>>>
> --
> Andy Gumbrecht
> https://twitter.com/AndyGeeDe
>
>
Re: tomee git commit: TomEE header
Posted by Andy <an...@gmx.de>.
I was just thinking 'Kindergarten', how strange...
On 08/05/2015 00:17, Romain Manni-Bucau wrote:
> hmm this answer doesnt make sense for me, I surely miss something but read
> it like "hey there is this property you can switch on true but if you
> google you'll see you shouldn't"
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
>
>> This is what I said and the reason I changed it. And yes the constants
>> have that for 'server' now, and have also had other values in the past.
>>
>> So to be even more complete and correct myself.... changed it from "Apache
>> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>>
>> @Romain: "you encourage it by making it on the front of the scene."
>>
>> That's like saying I'm encouraging someone to change the 'port', which is
>> also potentially dangerous when put into the hands of an idiot.
>> I like, and hope, to think that exposing a property would encourage
>> someone to look it up before changing it blindly. The very first google hit
>> on 'xpoweredBy' will enlighten even the most fickle reader.
>>
>> Sorry if my opinion just does not fit in on that. Another hour of my life
>> wasted.
>>
>> Andy.
>>
>>
>> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>>
>>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>>
>>> Also, for completeness:
>>>> xpoweredBy="*false*" activates nothing, if it were xpoweredBy="*true*"
>>>> then maybe that might just 'activate' whatever it is you think is being
>>>> activated here?
>>>>
>>>>
>>>> you encourage it by making it on the front of the scene.
>>>
>>> server="*Apache TomEE*" merely changes the existing value and also
>>>> 'activates' nothing. I don't see where you think this is a security
>>>> issue?
>>>> Happy to learn though, so please point me to the specific code that this
>>>> affects?
>>>>
>>>>
>>>> it is on by default is not overrided by the app.
>>>
>>> Andy.
>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>>
>>>> You activated 2 different headers which is useless since we change
>>>>> serverinfo by default you already get tomee here.
>>>>>
>>>>> That said this is not the real issue. Doing it is a standard security
>>>>> issue, that is why it is off by default in tomcat so I suggest to not
>>>>> set
>>>>> it on by default
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Romain Manni-Bucau
>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>> https://github.com/rmannibucau> |
>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>> <http://www.tomitribe.com>
>>>>>
>>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>>
>>>>> Some crawlers are using that header as the evaluation. Default is
>>>>> Apache
>>>>>
>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give
>>>>>> us
>>>>>> better standing.
>>>>>>
>>>>>> Andy.
>>>>>>
>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>>
>>>>>> PS (sorry hit enter without wishing it): asking cause I wouldn't
>>>>>> have it
>>>>>>
>>>>>>> on
>>>>>>> by default as a user
>>>>>>>
>>>>>>>
>>>>>>> Romain Manni-Bucau
>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>> https://github.com/rmannibucau> |
>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>> <http://www.tomitribe.com>
>>>>>>>
>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rmannibucau@gmail.com
>>>>>>>> :
>>>>>>> Hi
>>>>>>>
>>>>>>> What's the goal? We already switch server info,isnt it enough?
>>>>>>>> Romain Manni-Bucau
>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>>> <http://www.tomitribe.com>
>>>>>>>>
>>>>>>>>
>>>>>>>> ---------- Forwarded message ----------
>>>>>>>> From: <an...@apache.org>
>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>>> To: commits@tomee.apache.org
>>>>>>>>
>>>>>>>>
>>>>>>>> Repository: tomee
>>>>>>>> Updated Branches:
>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>>
>>>>>>>>
>>>>>>>> TomEE header
>>>>>>>>
>>>>>>>>
>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>>
>>>>>>>> Branch: refs/heads/master
>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>>> Parents: 2c4047e
>>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>>
>>>>>>>>
>>>>>>>> ----------------------------------------------------------------------
>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>>>>> +++++++++++++++++
>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>>
>>>>>>>> ----------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>
>>>>>>>> ----------------------------------------------------------------------
>>>>>>>> diff --git
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>>> ---
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>> +++
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>>> " <Listener
>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>> />\n" +
>>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>>> " <Engine name=\"Catalina\"
>>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>>> " <Host name=\"localhost\"
>>>>>>>> appBase=\"webapps\"\n"
>>>>>>>> +
>>>>>>>> " unpackWARs=\"true\"
>>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>
>>>>>>>> ----------------------------------------------------------------------
>>>>>>>> diff --git
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>>> ---
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>> +++
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>>> InstallerInterface {
>>>>>>>> alerts.addError("Error while adding listener to
>>>>>>>> server.xml
>>>>>>>> file", e);
>>>>>>>> }
>>>>>>>>
>>>>>>>> + //Add TomEE header
>>>>>>>> + try {
>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>> + "<Connector port=\"8080\"",
>>>>>>>> + "/>",
>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>>>>> />");
>>>>>>>> +
>>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>> + "<Connector port=\"8443\"",
>>>>>>>> + "/>",
>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>>>>> />");
>>>>>>>> + } catch (final IOException e) {
>>>>>>>> + alerts.addError("Error adding server attribute to
>>>>>>>> server.xml
>>>>>>>> file", e);
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> // overwrite server.xml
>>>>>>>> if (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>>> newServerXml,
>>>>>>>> alerts)) {
>>>>>>>> alerts.addInfo("Add OpenEJB listener to server.xml");
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>> Andy Gumbrecht
>>>>>> https://twitter.com/AndyGeeDe
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>> Andy Gumbrecht
>>>> https://twitter.com/AndyGeeDe
>>>>
>>>>
>>>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
hmm this answer doesnt make sense for me, I surely miss something but read
it like "hey there is this property you can switch on true but if you
google you'll see you shouldn't"
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-08 0:15 GMT+02:00 Andy <an...@gmx.de>:
> This is what I said and the reason I changed it. And yes the constants
> have that for 'server' now, and have also had other values in the past.
>
> So to be even more complete and correct myself.... changed it from "Apache
> Coyote/1.1" to "Apache TomEE", which is still better IMHO.
>
> @Romain: "you encourage it by making it on the front of the scene."
>
> That's like saying I'm encouraging someone to change the 'port', which is
> also potentially dangerous when put into the hands of an idiot.
> I like, and hope, to think that exposing a property would encourage
> someone to look it up before changing it blindly. The very first google hit
> on 'xpoweredBy' will enlighten even the most fickle reader.
>
> Sorry if my opinion just does not fit in on that. Another hour of my life
> wasted.
>
> Andy.
>
>
> On 07/05/2015 23:58, Romain Manni-Bucau wrote:
>
>> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>>
>> Also, for completeness:
>>>
>>> xpoweredBy="*false*" activates nothing, if it were xpoweredBy="*true*"
>>> then maybe that might just 'activate' whatever it is you think is being
>>> activated here?
>>>
>>>
>>> you encourage it by making it on the front of the scene.
>>
>>
>> server="*Apache TomEE*" merely changes the existing value and also
>>> 'activates' nothing. I don't see where you think this is a security
>>> issue?
>>> Happy to learn though, so please point me to the specific code that this
>>> affects?
>>>
>>>
>>> it is on by default is not overrided by the app.
>>
>>
>> Andy.
>>>
>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>>
>>> You activated 2 different headers which is useless since we change
>>>> serverinfo by default you already get tomee here.
>>>>
>>>> That said this is not the real issue. Doing it is a standard security
>>>> issue, that is why it is off by default in tomcat so I suggest to not
>>>> set
>>>> it on by default
>>>>
>>>>
>>>>
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>> <http://rmannibucau.wordpress.com> | Github <
>>>> https://github.com/rmannibucau> |
>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>> <http://www.tomitribe.com>
>>>>
>>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>>
>>>> Some crawlers are using that header as the evaluation. Default is
>>>> Apache
>>>>
>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give
>>>>> us
>>>>> better standing.
>>>>>
>>>>> Andy.
>>>>>
>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>>
>>>>> PS (sorry hit enter without wishing it): asking cause I wouldn't
>>>>> have it
>>>>>
>>>>>> on
>>>>>> by default as a user
>>>>>>
>>>>>>
>>>>>> Romain Manni-Bucau
>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>> https://github.com/rmannibucau> |
>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>> <http://www.tomitribe.com>
>>>>>>
>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rmannibucau@gmail.com
>>>>>> >:
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> What's the goal? We already switch server info,isnt it enough?
>>>>>>>
>>>>>>> Romain Manni-Bucau
>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>>> <http://www.tomitribe.com>
>>>>>>>
>>>>>>>
>>>>>>> ---------- Forwarded message ----------
>>>>>>> From: <an...@apache.org>
>>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>>> Subject: tomee git commit: TomEE header
>>>>>>> To: commits@tomee.apache.org
>>>>>>>
>>>>>>>
>>>>>>> Repository: tomee
>>>>>>> Updated Branches:
>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>>
>>>>>>>
>>>>>>> TomEE header
>>>>>>>
>>>>>>>
>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>>
>>>>>>> Branch: refs/heads/master
>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>>> Parents: 2c4047e
>>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>>
>>>>>>>
>>>>>>> ----------------------------------------------------------------------
>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>>>> +++++++++++++++++
>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>>>
>>>>>>> ----------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>
>>>>>>> ----------------------------------------------------------------------
>>>>>>> diff --git
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>> index 70fcf6f..17731b9 100644
>>>>>>> ---
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>> +++
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>>> " <Listener
>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>>> - " <Connector port=\"" + http + "\"
>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>> />\n" +
>>>>>>> + " <Connector port=\"" + http + "\"
>>>>>>> protocol=\"HTTP/1.1\"
>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>>> " <Engine name=\"Catalina\"
>>>>>>> defaultHost=\"localhost\">\n" +
>>>>>>> " <Host name=\"localhost\"
>>>>>>> appBase=\"webapps\"\n"
>>>>>>> +
>>>>>>> " unpackWARs=\"true\"
>>>>>>> autoDeploy=\"true\">\n" +
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>
>>>>>>> ----------------------------------------------------------------------
>>>>>>> diff --git
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>> index 0308c3d..60bd8f7 100644
>>>>>>> ---
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>> +++
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>>> InstallerInterface {
>>>>>>> alerts.addError("Error while adding listener to
>>>>>>> server.xml
>>>>>>> file", e);
>>>>>>> }
>>>>>>>
>>>>>>> + //Add TomEE header
>>>>>>> + try {
>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>> + "<Connector port=\"8080\"",
>>>>>>> + "<Connector port=\"8080\"",
>>>>>>> + "/>",
>>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>>>> />");
>>>>>>> +
>>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>>> + "<Connector port=\"8443\"",
>>>>>>> + "<Connector port=\"8443\"",
>>>>>>> + "/>",
>>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>>>> />");
>>>>>>> + } catch (final IOException e) {
>>>>>>> + alerts.addError("Error adding server attribute to
>>>>>>> server.xml
>>>>>>> file", e);
>>>>>>> + }
>>>>>>> +
>>>>>>> // overwrite server.xml
>>>>>>> if (Installers.writeAll(paths.getServerXmlFile(),
>>>>>>> newServerXml,
>>>>>>> alerts)) {
>>>>>>> alerts.addInfo("Add OpenEJB listener to server.xml");
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>> Andy Gumbrecht
>>>>> https://twitter.com/AndyGeeDe
>>>>>
>>>>>
>>>>>
>>>>> --
>>> Andy Gumbrecht
>>> https://twitter.com/AndyGeeDe
>>>
>>>
>>>
> --
> Andy Gumbrecht
> https://twitter.com/AndyGeeDe
>
>
Re: tomee git commit: TomEE header
Posted by Andy <an...@gmx.de>.
This is what I said and the reason I changed it. And yes the constants
have that for 'server' now, and have also had other values in the past.
So to be even more complete and correct myself.... changed it from
"Apache Coyote/1.1" to "Apache TomEE", which is still better IMHO.
@Romain: "you encourage it by making it on the front of the scene."
That's like saying I'm encouraging someone to change the 'port', which
is also potentially dangerous when put into the hands of an idiot.
I like, and hope, to think that exposing a property would encourage
someone to look it up before changing it blindly. The very first google
hit on 'xpoweredBy' will enlighten even the most fickle reader.
Sorry if my opinion just does not fit in on that. Another hour of my
life wasted.
Andy.
On 07/05/2015 23:58, Romain Manni-Bucau wrote:
> 2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
>
>> Also, for completeness:
>>
>> xpoweredBy="*false*" activates nothing, if it were xpoweredBy="*true*"
>> then maybe that might just 'activate' whatever it is you think is being
>> activated here?
>>
>>
> you encourage it by making it on the front of the scene.
>
>
>> server="*Apache TomEE*" merely changes the existing value and also
>> 'activates' nothing. I don't see where you think this is a security issue?
>> Happy to learn though, so please point me to the specific code that this
>> affects?
>>
>>
> it is on by default is not overrided by the app.
>
>
>> Andy.
>>
>> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>>
>>> You activated 2 different headers which is useless since we change
>>> serverinfo by default you already get tomee here.
>>>
>>> That said this is not the real issue. Doing it is a standard security
>>> issue, that is why it is off by default in tomcat so I suggest to not set
>>> it on by default
>>>
>>>
>>>
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>> <http://rmannibucau.wordpress.com> | Github <
>>> https://github.com/rmannibucau> |
>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>> <http://www.tomitribe.com>
>>>
>>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>>
>>> Some crawlers are using that header as the evaluation. Default is Apache
>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give us
>>>> better standing.
>>>>
>>>> Andy.
>>>>
>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>>
>>>> PS (sorry hit enter without wishing it): asking cause I wouldn't have it
>>>>> on
>>>>> by default as a user
>>>>>
>>>>>
>>>>> Romain Manni-Bucau
>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>> https://github.com/rmannibucau> |
>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>> <http://www.tomitribe.com>
>>>>>
>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
>>>>>
>>>>> Hi
>>>>>
>>>>>> What's the goal? We already switch server info,isnt it enough?
>>>>>>
>>>>>> Romain Manni-Bucau
>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>>> <http://www.tomitribe.com>
>>>>>>
>>>>>>
>>>>>> ---------- Forwarded message ----------
>>>>>> From: <an...@apache.org>
>>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>>> Subject: tomee git commit: TomEE header
>>>>>> To: commits@tomee.apache.org
>>>>>>
>>>>>>
>>>>>> Repository: tomee
>>>>>> Updated Branches:
>>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>>
>>>>>>
>>>>>> TomEE header
>>>>>>
>>>>>>
>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>>
>>>>>> Branch: refs/heads/master
>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>>> Parents: 2c4047e
>>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>>
>>>>>> ----------------------------------------------------------------------
>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>>> +++++++++++++++++
>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>>> ----------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>> ----------------------------------------------------------------------
>>>>>> diff --git
>>>>>>
>>>>>>
>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>>
>>>>>>
>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>> index 70fcf6f..17731b9 100644
>>>>>> ---
>>>>>>
>>>>>>
>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>> +++
>>>>>>
>>>>>>
>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>>> " <Listener
>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>>> " <Service name=\"Catalina\">\n" +
>>>>>> - " <Connector port=\"" + http + "\"
>>>>>> protocol=\"HTTP/1.1\"
>>>>>> />\n" +
>>>>>> + " <Connector port=\"" + http + "\"
>>>>>> protocol=\"HTTP/1.1\"
>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>>> " <Engine name=\"Catalina\"
>>>>>> defaultHost=\"localhost\">\n" +
>>>>>> " <Host name=\"localhost\" appBase=\"webapps\"\n"
>>>>>> +
>>>>>> " unpackWARs=\"true\"
>>>>>> autoDeploy=\"true\">\n" +
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>> ----------------------------------------------------------------------
>>>>>> diff --git
>>>>>>
>>>>>>
>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>>
>>>>>>
>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>> index 0308c3d..60bd8f7 100644
>>>>>> ---
>>>>>>
>>>>>>
>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>> +++
>>>>>>
>>>>>>
>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>>> InstallerInterface {
>>>>>> alerts.addError("Error while adding listener to
>>>>>> server.xml
>>>>>> file", e);
>>>>>> }
>>>>>>
>>>>>> + //Add TomEE header
>>>>>> + try {
>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>> + "<Connector port=\"8080\"",
>>>>>> + "<Connector port=\"8080\"",
>>>>>> + "/>",
>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>>> />");
>>>>>> +
>>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>>> + "<Connector port=\"8443\"",
>>>>>> + "<Connector port=\"8443\"",
>>>>>> + "/>",
>>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>>> />");
>>>>>> + } catch (final IOException e) {
>>>>>> + alerts.addError("Error adding server attribute to
>>>>>> server.xml
>>>>>> file", e);
>>>>>> + }
>>>>>> +
>>>>>> // overwrite server.xml
>>>>>> if (Installers.writeAll(paths.getServerXmlFile(),
>>>>>> newServerXml,
>>>>>> alerts)) {
>>>>>> alerts.addInfo("Add OpenEJB listener to server.xml");
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>> Andy Gumbrecht
>>>> https://twitter.com/AndyGeeDe
>>>>
>>>>
>>>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
2015-05-07 23:56 GMT+02:00 Andy <an...@gmx.de>:
> Also, for completeness:
>
> xpoweredBy="*false*" activates nothing, if it were xpoweredBy="*true*"
> then maybe that might just 'activate' whatever it is you think is being
> activated here?
>
>
you encourage it by making it on the front of the scene.
> server="*Apache TomEE*" merely changes the existing value and also
> 'activates' nothing. I don't see where you think this is a security issue?
> Happy to learn though, so please point me to the specific code that this
> affects?
>
>
it is on by default is not overrided by the app.
> Andy.
>
> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>
>> You activated 2 different headers which is useless since we change
>> serverinfo by default you already get tomee here.
>>
>> That said this is not the real issue. Doing it is a standard security
>> issue, that is why it is off by default in tomcat so I suggest to not set
>> it on by default
>>
>>
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> <http://www.tomitribe.com>
>>
>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>
>> Some crawlers are using that header as the evaluation. Default is Apache
>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give us
>>> better standing.
>>>
>>> Andy.
>>>
>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>
>>> PS (sorry hit enter without wishing it): asking cause I wouldn't have it
>>>> on
>>>> by default as a user
>>>>
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>> <http://rmannibucau.wordpress.com> | Github <
>>>> https://github.com/rmannibucau> |
>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>> <http://www.tomitribe.com>
>>>>
>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
>>>>
>>>> Hi
>>>>
>>>>> What's the goal? We already switch server info,isnt it enough?
>>>>>
>>>>> Romain Manni-Bucau
>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>> <http://www.tomitribe.com>
>>>>>
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: <an...@apache.org>
>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>> Subject: tomee git commit: TomEE header
>>>>> To: commits@tomee.apache.org
>>>>>
>>>>>
>>>>> Repository: tomee
>>>>> Updated Branches:
>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>
>>>>>
>>>>> TomEE header
>>>>>
>>>>>
>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>
>>>>> Branch: refs/heads/master
>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>> Parents: 2c4047e
>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>> +++++++++++++++++
>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>> ----------------------------------------------------------------------
>>>>> diff --git
>>>>>
>>>>>
>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>
>>>>>
>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>> index 70fcf6f..17731b9 100644
>>>>> ---
>>>>>
>>>>>
>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>> +++
>>>>>
>>>>>
>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>> " <Listener
>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>> " <Service name=\"Catalina\">\n" +
>>>>> - " <Connector port=\"" + http + "\"
>>>>> protocol=\"HTTP/1.1\"
>>>>> />\n" +
>>>>> + " <Connector port=\"" + http + "\"
>>>>> protocol=\"HTTP/1.1\"
>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>> " <Engine name=\"Catalina\"
>>>>> defaultHost=\"localhost\">\n" +
>>>>> " <Host name=\"localhost\" appBase=\"webapps\"\n"
>>>>> +
>>>>> " unpackWARs=\"true\"
>>>>> autoDeploy=\"true\">\n" +
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>> ----------------------------------------------------------------------
>>>>> diff --git
>>>>>
>>>>>
>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>
>>>>>
>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>> index 0308c3d..60bd8f7 100644
>>>>> ---
>>>>>
>>>>>
>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>> +++
>>>>>
>>>>>
>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>> InstallerInterface {
>>>>> alerts.addError("Error while adding listener to
>>>>> server.xml
>>>>> file", e);
>>>>> }
>>>>>
>>>>> + //Add TomEE header
>>>>> + try {
>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>> + "<Connector port=\"8080\"",
>>>>> + "<Connector port=\"8080\"",
>>>>> + "/>",
>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>> />");
>>>>> +
>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>> + "<Connector port=\"8443\"",
>>>>> + "<Connector port=\"8443\"",
>>>>> + "/>",
>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>> />");
>>>>> + } catch (final IOException e) {
>>>>> + alerts.addError("Error adding server attribute to
>>>>> server.xml
>>>>> file", e);
>>>>> + }
>>>>> +
>>>>> // overwrite server.xml
>>>>> if (Installers.writeAll(paths.getServerXmlFile(),
>>>>> newServerXml,
>>>>> alerts)) {
>>>>> alerts.addInfo("Add OpenEJB listener to server.xml");
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>> Andy Gumbrecht
>>> https://twitter.com/AndyGeeDe
>>>
>>>
>>>
> --
> Andy Gumbrecht
> https://twitter.com/AndyGeeDe
>
>
Re: tomee git commit: TomEE header
Posted by Andy <an...@gmx.de>.
Also, for completeness:
xpoweredBy="*false*" activates nothing, if it were xpoweredBy="*true*"
then maybe that might just 'activate' whatever it is you think is being
activated here?
server="*Apache TomEE*" merely changes the existing value and also
'activates' nothing. I don't see where you think this is a security
issue? Happy to learn though, so please point me to the specific code
that this affects?
Andy.
On 07/05/2015 23:21, Romain Manni-Bucau wrote:
> You activated 2 different headers which is useless since we change
> serverinfo by default you already get tomee here.
>
> That said this is not the real issue. Doing it is a standard security
> issue, that is why it is off by default in tomcat so I suggest to not set
> it on by default
>
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>
>> Some crawlers are using that header as the evaluation. Default is Apache
>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give us
>> better standing.
>>
>> Andy.
>>
>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>
>>> PS (sorry hit enter without wishing it): asking cause I wouldn't have it
>>> on
>>> by default as a user
>>>
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>> <http://rmannibucau.wordpress.com> | Github <
>>> https://github.com/rmannibucau> |
>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>> <http://www.tomitribe.com>
>>>
>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
>>>
>>> Hi
>>>> What's the goal? We already switch server info,isnt it enough?
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>> <http://rmannibucau.wordpress.com> | Github
>>>> <https://github.com/rmannibucau> | LinkedIn
>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>> <http://www.tomitribe.com>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: <an...@apache.org>
>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>> Subject: tomee git commit: TomEE header
>>>> To: commits@tomee.apache.org
>>>>
>>>>
>>>> Repository: tomee
>>>> Updated Branches:
>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>
>>>>
>>>> TomEE header
>>>>
>>>>
>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>
>>>> Branch: refs/heads/master
>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>> Parents: 2c4047e
>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>
>>>> ----------------------------------------------------------------------
>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>> +++++++++++++++++
>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>> ----------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>> ----------------------------------------------------------------------
>>>> diff --git
>>>>
>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>
>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>> index 70fcf6f..17731b9 100644
>>>> ---
>>>>
>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>> +++
>>>>
>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>> " <Listener
>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>> " <Service name=\"Catalina\">\n" +
>>>> - " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
>>>> />\n" +
>>>> + " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>> " <Engine name=\"Catalina\"
>>>> defaultHost=\"localhost\">\n" +
>>>> " <Host name=\"localhost\" appBase=\"webapps\"\n" +
>>>> " unpackWARs=\"true\" autoDeploy=\"true\">\n" +
>>>>
>>>>
>>>>
>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>> ----------------------------------------------------------------------
>>>> diff --git
>>>>
>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>
>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>> index 0308c3d..60bd8f7 100644
>>>> ---
>>>>
>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>> +++
>>>>
>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>> InstallerInterface {
>>>> alerts.addError("Error while adding listener to server.xml
>>>> file", e);
>>>> }
>>>>
>>>> + //Add TomEE header
>>>> + try {
>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>> + "<Connector port=\"8080\"",
>>>> + "<Connector port=\"8080\"",
>>>> + "/>",
>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
>>>> +
>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>> + "<Connector port=\"8443\"",
>>>> + "<Connector port=\"8443\"",
>>>> + "/>",
>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
>>>> + } catch (final IOException e) {
>>>> + alerts.addError("Error adding server attribute to server.xml
>>>> file", e);
>>>> + }
>>>> +
>>>> // overwrite server.xml
>>>> if (Installers.writeAll(paths.getServerXmlFile(), newServerXml,
>>>> alerts)) {
>>>> alerts.addInfo("Add OpenEJB listener to server.xml");
>>>>
>>>>
>>>>
>>>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: tomee git commit: TomEE header
Posted by Andy <an...@gmx.de>.
I have 'activated' nothing. It is already there, and it says 'Apache
Tomcat 7.x' or 'Apache Tomcat 8.x' by default in the connector. I just
changed it. So it is not useless. It now says 'Apache TomEE' - Again,
and as usual, if you feel you must change it back then please do so and
I will just manually change it in any installations that I do.
Andy.
On 07/05/2015 23:21, Romain Manni-Bucau wrote:
> You activated 2 different headers which is useless since we change
> serverinfo by default you already get tomee here.
>
> That said this is not the real issue. Doing it is a standard security
> issue, that is why it is off by default in tomcat so I suggest to not set
> it on by default
>
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>
>> Some crawlers are using that header as the evaluation. Default is Apache
>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give us
>> better standing.
>>
>> Andy.
>>
>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>
>>> PS (sorry hit enter without wishing it): asking cause I wouldn't have it
>>> on
>>> by default as a user
>>>
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>> <http://rmannibucau.wordpress.com> | Github <
>>> https://github.com/rmannibucau> |
>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>> <http://www.tomitribe.com>
>>>
>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
>>>
>>> Hi
>>>> What's the goal? We already switch server info,isnt it enough?
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>> <http://rmannibucau.wordpress.com> | Github
>>>> <https://github.com/rmannibucau> | LinkedIn
>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>> <http://www.tomitribe.com>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: <an...@apache.org>
>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>> Subject: tomee git commit: TomEE header
>>>> To: commits@tomee.apache.org
>>>>
>>>>
>>>> Repository: tomee
>>>> Updated Branches:
>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>
>>>>
>>>> TomEE header
>>>>
>>>>
>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>
>>>> Branch: refs/heads/master
>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>> Parents: 2c4047e
>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>
>>>> ----------------------------------------------------------------------
>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>> +++++++++++++++++
>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>> ----------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>> ----------------------------------------------------------------------
>>>> diff --git
>>>>
>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>
>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>> index 70fcf6f..17731b9 100644
>>>> ---
>>>>
>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>> +++
>>>>
>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>> " <Listener
>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>> " <Service name=\"Catalina\">\n" +
>>>> - " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
>>>> />\n" +
>>>> + " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>> " <Engine name=\"Catalina\"
>>>> defaultHost=\"localhost\">\n" +
>>>> " <Host name=\"localhost\" appBase=\"webapps\"\n" +
>>>> " unpackWARs=\"true\" autoDeploy=\"true\">\n" +
>>>>
>>>>
>>>>
>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>> ----------------------------------------------------------------------
>>>> diff --git
>>>>
>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>
>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>> index 0308c3d..60bd8f7 100644
>>>> ---
>>>>
>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>> +++
>>>>
>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>> InstallerInterface {
>>>> alerts.addError("Error while adding listener to server.xml
>>>> file", e);
>>>> }
>>>>
>>>> + //Add TomEE header
>>>> + try {
>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>> + "<Connector port=\"8080\"",
>>>> + "<Connector port=\"8080\"",
>>>> + "/>",
>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
>>>> +
>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>> + "<Connector port=\"8443\"",
>>>> + "<Connector port=\"8443\"",
>>>> + "/>",
>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
>>>> + } catch (final IOException e) {
>>>> + alerts.addError("Error adding server attribute to server.xml
>>>> file", e);
>>>> + }
>>>> +
>>>> // overwrite server.xml
>>>> if (Installers.writeAll(paths.getServerXmlFile(), newServerXml,
>>>> alerts)) {
>>>> alerts.addInfo("Add OpenEJB listener to server.xml");
>>>>
>>>>
>>>>
>>>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
oops, right Server is always on but it says "Apache Coyote/1.1"
(./org/apache/coyote/http11/Constants.java)
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-07 23:47 GMT+02:00 Andy <an...@gmx.de>:
> @Romain...
>
> @Andy: you didnt deactivated all headers by default since server and
> xpoweredBy are 2 different things. I'd just completely revert it keeping
> conf 1-1 with tomcat. Will not be activated anyway by guys in prod IMO.
>
>
> I do wish you wouldn't quote or claim things that I never said? On what
> planet, in which universe and where was I suggesting that server and
> xpoweredBy are the same thing? Please show me this?
>
>
Well the point is why configuring xpoweredBy at all and why giving
attackers a way to potentially find faster an issue providing the server
(so encouraging providing 2 info). This is not what you said but did.
> On 07/05/2015 23:21, Romain Manni-Bucau wrote:
>
>> You activated 2 different headers which is useless since we change
>> serverinfo by default you already get tomee here.
>>
>> That said this is not the real issue. Doing it is a standard security
>> issue, that is why it is off by default in tomcat so I suggest to not set
>> it on by default
>>
>>
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> <http://www.tomitribe.com>
>>
>> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>>
>> Some crawlers are using that header as the evaluation. Default is Apache
>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give us
>>> better standing.
>>>
>>> Andy.
>>>
>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>>
>>> PS (sorry hit enter without wishing it): asking cause I wouldn't have it
>>>> on
>>>> by default as a user
>>>>
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>> <http://rmannibucau.wordpress.com> | Github <
>>>> https://github.com/rmannibucau> |
>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>> <http://www.tomitribe.com>
>>>>
>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
>>>>
>>>> Hi
>>>>
>>>>> What's the goal? We already switch server info,isnt it enough?
>>>>>
>>>>> Romain Manni-Bucau
>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>> <http://rmannibucau.wordpress.com> | Github
>>>>> <https://github.com/rmannibucau> | LinkedIn
>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>>> <http://www.tomitribe.com>
>>>>>
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: <an...@apache.org>
>>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>>> Subject: tomee git commit: TomEE header
>>>>> To: commits@tomee.apache.org
>>>>>
>>>>>
>>>>> Repository: tomee
>>>>> Updated Branches:
>>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>>
>>>>>
>>>>> TomEE header
>>>>>
>>>>>
>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>>
>>>>> Branch: refs/heads/master
>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>>> Parents: 2c4047e
>>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>>> +++++++++++++++++
>>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>> ----------------------------------------------------------------------
>>>>> diff --git
>>>>>
>>>>>
>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>>
>>>>>
>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>> index 70fcf6f..17731b9 100644
>>>>> ---
>>>>>
>>>>>
>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>> +++
>>>>>
>>>>>
>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>>> " <Listener
>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>>> " <Service name=\"Catalina\">\n" +
>>>>> - " <Connector port=\"" + http + "\"
>>>>> protocol=\"HTTP/1.1\"
>>>>> />\n" +
>>>>> + " <Connector port=\"" + http + "\"
>>>>> protocol=\"HTTP/1.1\"
>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>>> " <Engine name=\"Catalina\"
>>>>> defaultHost=\"localhost\">\n" +
>>>>> " <Host name=\"localhost\" appBase=\"webapps\"\n"
>>>>> +
>>>>> " unpackWARs=\"true\"
>>>>> autoDeploy=\"true\">\n" +
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>> ----------------------------------------------------------------------
>>>>> diff --git
>>>>>
>>>>>
>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>>
>>>>>
>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>> index 0308c3d..60bd8f7 100644
>>>>> ---
>>>>>
>>>>>
>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>> +++
>>>>>
>>>>>
>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>>> InstallerInterface {
>>>>> alerts.addError("Error while adding listener to
>>>>> server.xml
>>>>> file", e);
>>>>> }
>>>>>
>>>>> + //Add TomEE header
>>>>> + try {
>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>> + "<Connector port=\"8080\"",
>>>>> + "<Connector port=\"8080\"",
>>>>> + "/>",
>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>> />");
>>>>> +
>>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>>> + "<Connector port=\"8443\"",
>>>>> + "<Connector port=\"8443\"",
>>>>> + "/>",
>>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\"
>>>>> />");
>>>>> + } catch (final IOException e) {
>>>>> + alerts.addError("Error adding server attribute to
>>>>> server.xml
>>>>> file", e);
>>>>> + }
>>>>> +
>>>>> // overwrite server.xml
>>>>> if (Installers.writeAll(paths.getServerXmlFile(),
>>>>> newServerXml,
>>>>> alerts)) {
>>>>> alerts.addInfo("Add OpenEJB listener to server.xml");
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>> Andy Gumbrecht
>>> https://twitter.com/AndyGeeDe
>>>
>>>
>>>
> --
> Andy Gumbrecht
> https://twitter.com/AndyGeeDe
>
>
Re: tomee git commit: TomEE header
Posted by Andy <an...@gmx.de>.
@Romain...
@Andy: you didnt deactivated all headers by default since server and
xpoweredBy are 2 different things. I'd just completely revert it keeping
conf 1-1 with tomcat. Will not be activated anyway by guys in prod IMO.
I do wish you wouldn't quote or claim things that I never said? On what
planet, in which universe and where was I suggesting that server and
xpoweredBy are the same thing? Please show me this?
On 07/05/2015 23:21, Romain Manni-Bucau wrote:
> You activated 2 different headers which is useless since we change
> serverinfo by default you already get tomee here.
>
> That said this is not the real issue. Doing it is a standard security
> issue, that is why it is off by default in tomcat so I suggest to not set
> it on by default
>
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
>
>> Some crawlers are using that header as the evaluation. Default is Apache
>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give us
>> better standing.
>>
>> Andy.
>>
>> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>>
>>> PS (sorry hit enter without wishing it): asking cause I wouldn't have it
>>> on
>>> by default as a user
>>>
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>> <http://rmannibucau.wordpress.com> | Github <
>>> https://github.com/rmannibucau> |
>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>> <http://www.tomitribe.com>
>>>
>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
>>>
>>> Hi
>>>> What's the goal? We already switch server info,isnt it enough?
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>> <http://rmannibucau.wordpress.com> | Github
>>>> <https://github.com/rmannibucau> | LinkedIn
>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>>> <http://www.tomitribe.com>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: <an...@apache.org>
>>>> Date: 2015-05-07 22:03 GMT+02:00
>>>> Subject: tomee git commit: TomEE header
>>>> To: commits@tomee.apache.org
>>>>
>>>>
>>>> Repository: tomee
>>>> Updated Branches:
>>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>>
>>>>
>>>> TomEE header
>>>>
>>>>
>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>>
>>>> Branch: refs/heads/master
>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>>> Parents: 2c4047e
>>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>>> Authored: Thu May 7 22:03:35 2015 +0200
>>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>>
>>>> ----------------------------------------------------------------------
>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>>> +++++++++++++++++
>>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>>> ----------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>> ----------------------------------------------------------------------
>>>> diff --git
>>>>
>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>>
>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>> index 70fcf6f..17731b9 100644
>>>> ---
>>>>
>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>> +++
>>>>
>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>>> " <Listener
>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>>> " <Service name=\"Catalina\">\n" +
>>>> - " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
>>>> />\n" +
>>>> + " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>>> " <Engine name=\"Catalina\"
>>>> defaultHost=\"localhost\">\n" +
>>>> " <Host name=\"localhost\" appBase=\"webapps\"\n" +
>>>> " unpackWARs=\"true\" autoDeploy=\"true\">\n" +
>>>>
>>>>
>>>>
>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>> ----------------------------------------------------------------------
>>>> diff --git
>>>>
>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>>
>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>> index 0308c3d..60bd8f7 100644
>>>> ---
>>>>
>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>> +++
>>>>
>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>> @@ -448,6 +448,23 @@ public class Installer implements
>>>> InstallerInterface {
>>>> alerts.addError("Error while adding listener to server.xml
>>>> file", e);
>>>> }
>>>>
>>>> + //Add TomEE header
>>>> + try {
>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>> + "<Connector port=\"8080\"",
>>>> + "<Connector port=\"8080\"",
>>>> + "/>",
>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
>>>> +
>>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>>> + "<Connector port=\"8443\"",
>>>> + "<Connector port=\"8443\"",
>>>> + "/>",
>>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
>>>> + } catch (final IOException e) {
>>>> + alerts.addError("Error adding server attribute to server.xml
>>>> file", e);
>>>> + }
>>>> +
>>>> // overwrite server.xml
>>>> if (Installers.writeAll(paths.getServerXmlFile(), newServerXml,
>>>> alerts)) {
>>>> alerts.addInfo("Add OpenEJB listener to server.xml");
>>>>
>>>>
>>>>
>>>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
You activated 2 different headers which is useless since we change
serverinfo by default you already get tomee here.
That said this is not the real issue. Doing it is a standard security
issue, that is why it is off by default in tomcat so I suggest to not set
it on by default
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-07 23:10 GMT+02:00 Andy <an...@gmx.de>:
> Some crawlers are using that header as the evaluation. Default is Apache
> Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give us
> better standing.
>
> Andy.
>
> On 07/05/2015 22:38, Romain Manni-Bucau wrote:
>
>> PS (sorry hit enter without wishing it): asking cause I wouldn't have it
>> on
>> by default as a user
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> <http://www.tomitribe.com>
>>
>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
>>
>> Hi
>>>
>>> What's the goal? We already switch server info,isnt it enough?
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>> <http://rmannibucau.wordpress.com> | Github
>>> <https://github.com/rmannibucau> | LinkedIn
>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>>> <http://www.tomitribe.com>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: <an...@apache.org>
>>> Date: 2015-05-07 22:03 GMT+02:00
>>> Subject: tomee git commit: TomEE header
>>> To: commits@tomee.apache.org
>>>
>>>
>>> Repository: tomee
>>> Updated Branches:
>>> refs/heads/master 2c4047e14 -> 268b57c86
>>>
>>>
>>> TomEE header
>>>
>>>
>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>>
>>> Branch: refs/heads/master
>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>>> Parents: 2c4047e
>>> Author: andygumbrecht@apache.org <an...@gmx.de>
>>> Authored: Thu May 7 22:03:35 2015 +0200
>>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>>> Committed: Thu May 7 22:03:35 2015 +0200
>>>
>>> ----------------------------------------------------------------------
>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>>> .../java/org/apache/tomee/installer/Installer.java | 17
>>> +++++++++++++++++
>>> 2 files changed, 18 insertions(+), 1 deletion(-)
>>> ----------------------------------------------------------------------
>>>
>>>
>>>
>>>
>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>> ----------------------------------------------------------------------
>>> diff --git
>>>
>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>>
>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>> index 70fcf6f..17731b9 100644
>>> ---
>>>
>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>> +++
>>>
>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>>> " <!-- TomEE plugin for Tomcat -->\n" +
>>> " <Listener
>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>>> " <Service name=\"Catalina\">\n" +
>>> - " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
>>> />\n" +
>>> + " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>>> " <Engine name=\"Catalina\"
>>> defaultHost=\"localhost\">\n" +
>>> " <Host name=\"localhost\" appBase=\"webapps\"\n" +
>>> " unpackWARs=\"true\" autoDeploy=\"true\">\n" +
>>>
>>>
>>>
>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>> ----------------------------------------------------------------------
>>> diff --git
>>>
>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>>
>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>> index 0308c3d..60bd8f7 100644
>>> ---
>>>
>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>> +++
>>>
>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>>> @@ -448,6 +448,23 @@ public class Installer implements
>>> InstallerInterface {
>>> alerts.addError("Error while adding listener to server.xml
>>> file", e);
>>> }
>>>
>>> + //Add TomEE header
>>> + try {
>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>> + "<Connector port=\"8080\"",
>>> + "<Connector port=\"8080\"",
>>> + "/>",
>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
>>> +
>>> + newServerXml = Installers.replace(serverXmlOriginal,
>>> + "<Connector port=\"8443\"",
>>> + "<Connector port=\"8443\"",
>>> + "/>",
>>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
>>> + } catch (final IOException e) {
>>> + alerts.addError("Error adding server attribute to server.xml
>>> file", e);
>>> + }
>>> +
>>> // overwrite server.xml
>>> if (Installers.writeAll(paths.getServerXmlFile(), newServerXml,
>>> alerts)) {
>>> alerts.addInfo("Add OpenEJB listener to server.xml");
>>>
>>>
>>>
>>>
> --
> Andy Gumbrecht
> https://twitter.com/AndyGeeDe
>
>
Re: tomee git commit: TomEE header
Posted by Andy <an...@gmx.de>.
Some crawlers are using that header as the evaluation. Default is Apache
Tomcat 7.0.x etc and it is always on, so having Apache TomEE will give
us better standing.
Andy.
On 07/05/2015 22:38, Romain Manni-Bucau wrote:
> PS (sorry hit enter without wishing it): asking cause I wouldn't have it on
> by default as a user
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
>
>> Hi
>>
>> What's the goal? We already switch server info,isnt it enough?
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> <http://rmannibucau.wordpress.com> | Github
>> <https://github.com/rmannibucau> | LinkedIn
>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> <http://www.tomitribe.com>
>>
>> ---------- Forwarded message ----------
>> From: <an...@apache.org>
>> Date: 2015-05-07 22:03 GMT+02:00
>> Subject: tomee git commit: TomEE header
>> To: commits@tomee.apache.org
>>
>>
>> Repository: tomee
>> Updated Branches:
>> refs/heads/master 2c4047e14 -> 268b57c86
>>
>>
>> TomEE header
>>
>>
>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
>> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
>> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
>> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>>
>> Branch: refs/heads/master
>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
>> Parents: 2c4047e
>> Author: andygumbrecht@apache.org <an...@gmx.de>
>> Authored: Thu May 7 22:03:35 2015 +0200
>> Committer: andygumbrecht@apache.org <an...@gmx.de>
>> Committed: Thu May 7 22:03:35 2015 +0200
>>
>> ----------------------------------------------------------------------
>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
>> .../java/org/apache/tomee/installer/Installer.java | 17 +++++++++++++++++
>> 2 files changed, 18 insertions(+), 1 deletion(-)
>> ----------------------------------------------------------------------
>>
>>
>>
>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>> ----------------------------------------------------------------------
>> diff --git
>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>> index 70fcf6f..17731b9 100644
>> ---
>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>> +++
>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
>> " <!-- TomEE plugin for Tomcat -->\n" +
>> " <Listener
>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
>> " <Service name=\"Catalina\">\n" +
>> - " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
>> />\n" +
>> + " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
>> " <Engine name=\"Catalina\" defaultHost=\"localhost\">\n" +
>> " <Host name=\"localhost\" appBase=\"webapps\"\n" +
>> " unpackWARs=\"true\" autoDeploy=\"true\">\n" +
>>
>>
>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>> ----------------------------------------------------------------------
>> diff --git
>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>> index 0308c3d..60bd8f7 100644
>> ---
>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>> +++
>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
>> @@ -448,6 +448,23 @@ public class Installer implements InstallerInterface {
>> alerts.addError("Error while adding listener to server.xml
>> file", e);
>> }
>>
>> + //Add TomEE header
>> + try {
>> + newServerXml = Installers.replace(serverXmlOriginal,
>> + "<Connector port=\"8080\"",
>> + "<Connector port=\"8080\"",
>> + "/>",
>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
>> +
>> + newServerXml = Installers.replace(serverXmlOriginal,
>> + "<Connector port=\"8443\"",
>> + "<Connector port=\"8443\"",
>> + "/>",
>> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
>> + } catch (final IOException e) {
>> + alerts.addError("Error adding server attribute to server.xml
>> file", e);
>> + }
>> +
>> // overwrite server.xml
>> if (Installers.writeAll(paths.getServerXmlFile(), newServerXml,
>> alerts)) {
>> alerts.addInfo("Add OpenEJB listener to server.xml");
>>
>>
>>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
PS (sorry hit enter without wishing it): asking cause I wouldn't have it on
by default as a user
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
> Hi
>
> What's the goal? We already switch server info,isnt it enough?
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github
> <https://github.com/rmannibucau> | LinkedIn
> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> ---------- Forwarded message ----------
> From: <an...@apache.org>
> Date: 2015-05-07 22:03 GMT+02:00
> Subject: tomee git commit: TomEE header
> To: commits@tomee.apache.org
>
>
> Repository: tomee
> Updated Branches:
> refs/heads/master 2c4047e14 -> 268b57c86
>
>
> TomEE header
>
>
> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
> Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
> Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
> Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
>
> Branch: refs/heads/master
> Commit: 268b57c868c055e3788b85d6ed6a192da094e808
> Parents: 2c4047e
> Author: andygumbrecht@apache.org <an...@gmx.de>
> Authored: Thu May 7 22:03:35 2015 +0200
> Committer: andygumbrecht@apache.org <an...@gmx.de>
> Committed: Thu May 7 22:03:35 2015 +0200
>
> ----------------------------------------------------------------------
> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
> .../java/org/apache/tomee/installer/Installer.java | 17 +++++++++++++++++
> 2 files changed, 18 insertions(+), 1 deletion(-)
> ----------------------------------------------------------------------
>
>
>
> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> ----------------------------------------------------------------------
> diff --git
> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> index 70fcf6f..17731b9 100644
> ---
> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> +++
> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
> " <!-- TomEE plugin for Tomcat -->\n" +
> " <Listener
> className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
> " <Service name=\"Catalina\">\n" +
> - " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
> />\n" +
> + " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
> " <Engine name=\"Catalina\" defaultHost=\"localhost\">\n" +
> " <Host name=\"localhost\" appBase=\"webapps\"\n" +
> " unpackWARs=\"true\" autoDeploy=\"true\">\n" +
>
>
> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> ----------------------------------------------------------------------
> diff --git
> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> index 0308c3d..60bd8f7 100644
> ---
> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> +++
> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
> @@ -448,6 +448,23 @@ public class Installer implements InstallerInterface {
> alerts.addError("Error while adding listener to server.xml
> file", e);
> }
>
> + //Add TomEE header
> + try {
> + newServerXml = Installers.replace(serverXmlOriginal,
> + "<Connector port=\"8080\"",
> + "<Connector port=\"8080\"",
> + "/>",
> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
> +
> + newServerXml = Installers.replace(serverXmlOriginal,
> + "<Connector port=\"8443\"",
> + "<Connector port=\"8443\"",
> + "/>",
> + "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
> + } catch (final IOException e) {
> + alerts.addError("Error adding server attribute to server.xml
> file", e);
> + }
> +
> // overwrite server.xml
> if (Installers.writeAll(paths.getServerXmlFile(), newServerXml,
> alerts)) {
> alerts.addInfo("Add OpenEJB listener to server.xml");
>
>
>
Fwd: tomee git commit: TomEE header
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi
What's the goal? We already switch server info,isnt it enough?
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
---------- Forwarded message ----------
From: <an...@apache.org>
Date: 2015-05-07 22:03 GMT+02:00
Subject: tomee git commit: TomEE header
To: commits@tomee.apache.org
Repository: tomee
Updated Branches:
refs/heads/master 2c4047e14 -> 268b57c86
TomEE header
Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8
Branch: refs/heads/master
Commit: 268b57c868c055e3788b85d6ed6a192da094e808
Parents: 2c4047e
Author: andygumbrecht@apache.org <an...@gmx.de>
Authored: Thu May 7 22:03:35 2015 +0200
Committer: andygumbrecht@apache.org <an...@gmx.de>
Committed: Thu May 7 22:03:35 2015 +0200
----------------------------------------------------------------------
.../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 +-
.../java/org/apache/tomee/installer/Installer.java | 17 +++++++++++++++++
2 files changed, 18 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
----------------------------------------------------------------------
diff --git
a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
index 70fcf6f..17731b9 100644
---
a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
+++
b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java
@@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT {
" <!-- TomEE plugin for Tomcat -->\n" +
" <Listener
className=\"org.apache.tomee.catalina.ServerListener\" />\n" +
" <Service name=\"Catalina\">\n" +
- " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
/>\n" +
+ " <Connector port=\"" + http + "\" protocol=\"HTTP/1.1\"
xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" +
" <Engine name=\"Catalina\" defaultHost=\"localhost\">\n" +
" <Host name=\"localhost\" appBase=\"webapps\"\n" +
" unpackWARs=\"true\" autoDeploy=\"true\">\n" +
http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
----------------------------------------------------------------------
diff --git
a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
index 0308c3d..60bd8f7 100644
---
a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
+++
b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
@@ -448,6 +448,23 @@ public class Installer implements InstallerInterface {
alerts.addError("Error while adding listener to server.xml
file", e);
}
+ //Add TomEE header
+ try {
+ newServerXml = Installers.replace(serverXmlOriginal,
+ "<Connector port=\"8080\"",
+ "<Connector port=\"8080\"",
+ "/>",
+ "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
+
+ newServerXml = Installers.replace(serverXmlOriginal,
+ "<Connector port=\"8443\"",
+ "<Connector port=\"8443\"",
+ "/>",
+ "xpoweredBy=\"false\" server=\"Apache TomEE\" />");
+ } catch (final IOException e) {
+ alerts.addError("Error adding server attribute to server.xml
file", e);
+ }
+
// overwrite server.xml
if (Installers.writeAll(paths.getServerXmlFile(), newServerXml,
alerts)) {
alerts.addInfo("Add OpenEJB listener to server.xml");