You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ian Stevens <ia...@phantomfiber.com> on 2004/06/29 17:09:04 UTC
Using javax.servlet.Filter to alter HTTP headers (was RE: How can the Server header in an HTTP response be customised?)
> Is it possible to programmatically change the Server header?
> Barring that, is it possible to set a Server header for a
> servlet within its web.xml file?
> My least preferred method is to change the Server header
> within Tomcat's server.xml file.
I looked at Tomcat's source code, and that Server header is hard-coded with
values read in from a properties file and set in source. As such, there
looks to be no way to specify a different value in the server.xml or
web.xml. A poor design decision in my mind, but nevertheless.
I was thinking that a javax.servlet.Filter which intercepts a call to set an
HTTP header would do the trick. I wrote a naive Filter (listed below) and
added parameters to my web.xml (also shown below) to accomplish this. Its
init() and doFilter() methods are called, but the setHeader() method of the
HttpServletResponseWrapper is never hit.
Can calls to setHeader() in Tomcat source, specifically HttpConnector, be
wrapped with Filter objects? or does that only apply to calls within servlet
source? How can I wrap all calls to setHeader()?
thanks,
Ian.
/**
* The javax.servlet.Filter to set HTTP headers to null.
*/
public class HttpRemoveHeaderFilter implements Filter
{
private String headerToRemove;
public void destroy()
{
}
public void doFilter( ServletRequest request, ServletResponse response,
FilterChain chain ) throws IOException, ServletException
{
chain.doFilter( request, new RemoveHeaderWrapper(
(HttpServletResponse)response, headerToRemove ) );
}
public void init( FilterConfig config ) throws ServletException
{
headerToRemove = config.getInitParameter( "remove" );
}
private final class RemoveHeaderWrapper extends
HttpServletResponseWrapper
{
private String headerToRemove;
public RemoveHeaderWrapper( HttpServletResponse response, String
headerToRemove )
{
super( response );
this.headerToRemove = headerToRemove;
}
public void setHeader( String s, String s1 )
{
if( s.matches( headerToRemove ) )
{
super.setHeader( s, null );
}
else
{
super.setHeader( s, s1 );
}
}
}
}
Below are the associated contents of my web.xml file.
<filter>
<filter-name>removeHeader</filter-name>
<filter-class>HttpRemoveHeaderFilter</filter-class>
<init-param>
<param-name>remove</param-name>
<param-value>Server</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>removeHeader</filter-name>
<url-pattern>/servlet</url-pattern>
</filter-mapping>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Using javax.servlet.Filter to alter HTTP headers (was RE: How can the Server header in an HTTP response be customised?)
Posted by Ian Stevens <ia...@phantomfiber.com>.
> Unless there is a PATCH in bugzilla, then no.
OK. Thanks for your help, Tim.
Ian.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Using javax.servlet.Filter to alter HTTP headers (was RE: How
can the Server header in an HTTP response be customised?)
Posted by Tim Funk <fu...@joedog.org>.
Unless there is a PATCH in bugzilla, then no.
-Tim
Ian Stevens wrote:
>>The Server header is hardcoded into the Connectors. You can't
>>remove/change it without a PATCH/recompile to
>>org.apache.coyote.http11.Constants
>
>
> That's certainly what I saw when looking at the source. There's no way
> alter it using a javax.servlet.Filter and a
> javax.servlet.HttpServletResponseWrapper? I tried (see previous messages on
> this topic) but got nowhere fast.
>
> Are there plans to allow the Server header to be altered in the near future?
> It is certainly a feature I would like to see, both for reasons of security
> and for limiting the size of the HTTP header for small devices on a rate
> plan.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Using javax.servlet.Filter to alter HTTP headers (was RE: How can the Server header in an HTTP response be customised?)
Posted by Ian Stevens <ia...@phantomfiber.com>.
> The Server header is hardcoded into the Connectors. You can't
> remove/change it without a PATCH/recompile to
> org.apache.coyote.http11.Constants
That's certainly what I saw when looking at the source. There's no way
alter it using a javax.servlet.Filter and a
javax.servlet.HttpServletResponseWrapper? I tried (see previous messages on
this topic) but got nowhere fast.
Are there plans to allow the Server header to be altered in the near future?
It is certainly a feature I would like to see, both for reasons of security
and for limiting the size of the HTTP header for small devices on a rate
plan.
Ian.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Using javax.servlet.Filter to alter HTTP headers (was RE: How
can the Server header in an HTTP response be customised?)
Posted by Tim Funk <fu...@joedog.org>.
The Server header is hardcoded into the Connectors. You can't remove/change
it without a PATCH/recompile to org.apache.coyote.http11.Constants
-Tim
Ian Stevens wrote:
>>>>Is it possible to programmatically change the Server header?
>
> [...]
>
>>Surely there is a way to alter the Server header of an HTTP
>>response, if only for security reasons. I can't be the only
>>person who wishes to do this. I would appreciate any
>>suggestions as to how this can be accomplished.
>
>
> Is there another Tomcat mailing list where I can get my question answered,
> preferably one where Tomcat developers lurk? Nobody here seems to be able
> to provide answers.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Using javax.servlet.Filter to alter HTTP headers (was RE: How can the Server header in an HTTP response be customised?)
Posted by Ian Stevens <ia...@phantomfiber.com>.
> > > Is it possible to programmatically change the Server header?
[...]
> Surely there is a way to alter the Server header of an HTTP
> response, if only for security reasons. I can't be the only
> person who wishes to do this. I would appreciate any
> suggestions as to how this can be accomplished.
Is there another Tomcat mailing list where I can get my question answered,
preferably one where Tomcat developers lurk? Nobody here seems to be able
to provide answers.
thank you,
Ian.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Using javax.servlet.Filter to alter HTTP headers (was RE: How can the Server header in an HTTP response be customised?)
Posted by Ian Stevens <ia...@phantomfiber.com>.
> > Is it possible to programmatically change the Server header?
> > Barring that, is it possible to set a Server header for a servlet
> > within its web.xml file? My least preferred method is to change the
Server
> > header within Tomcat's server.xml file.
> I was thinking that a javax.servlet.Filter which intercepts a
> call to set an HTTP header would do the trick. I wrote a
> naive Filter (listed below) and added parameters to my
> web.xml (also shown below) to accomplish this. Its
> init() and doFilter() methods are called, but the setHeader()
> method of the HttpServletResponseWrapper is never hit.
I also overrode the addHeader() method and added a call to that within my
servlet. The addHeader() method in the wrapper gets called, but only when
that method is called within the servlet, not from within Tomcat.
Surely there is a way to alter the Server header of an HTTP response, if
only for security reasons. I can't be the only person who wishes to do
this. I would appreciate any suggestions as to how this can be
accomplished.
thank you,
Ian.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org