« Tomcat/JBoss: Suppressing Server Identity - Part One | Main | Apache Solr 1.3.0 Released »

09/16/2008

Tomcat/JBoss: Suppressing Server Identity - Part Two

The first post in this two part series dealt with a quick way of suppressing the server identity returned in the HTTP response header. This article will deal with customizing the default error pages in tomcat so that they do not return the version number of tomcat or jboss in the response. You will want to do that if you are looking to thwart the lazy PCI-Compliance scanners from dinging you with vulnerabilities based solely on them scraping the version number from an error page.

It appears that there really isn't a quick and easy way to do this because the defaults are baked into tomcat and jboss. The only way I can tell from the tomcat documentation is to design your own custom error pages and it doesn't look like they can be made global simply by editing the global web.xml in $CATALINA_HOME/conf.  However, you can still modify the error responses delivered with a modification to the ROOT webapps's web.xml, which will set a "somewhat-global" default for any URI where a web context doesn't already exist.  For example, if you have set this up in the ROOT webapp's web.xml and do not have any applications deployed, all 404's will result in the 404 custom error.  If you deploy an application called "exampleApp", then any bad requests sent to /exampleApp will need to be handled with a custom error defined in that app (or pointing the custom-errors to the ROOT webapp's custom error location in exampleApp's web.xml).  Bad requests made outside of /exampleApp will still be handled as expected.

The modifications are fairly straightforward. You would need to add the following to your ROOT web applications's web.xml configuration, which is typically located in $CATALINA_HOME/webapps/ROOT/:

 <error-page>
<error-code>500</error-code>
<location>/errors/500.html</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/errors/404.html</location>
</error-page>

As you can tell, we're going to have to create some default HTML pages for these custom errors as well as a subdirectory called "errors" inside of $CATALINA_HOME/webapps/ROOT.  Below are some pages that I created:

404 Error Page

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404 Not Found</title>
<meta name="description" content="The server has not found anything matching the Request-URI.">
<style type="text/css">
body {background-color:ffffff;background-image:url(http://);background-repeat:no-repeat;background-position:top left;background-attachment:fixed;}
h3{font-family:Arial;color:000000;}
p {font-family:Arial;font-size:14px;font-style:normal;font-weight:normal;color:000000;}
</style>
</head>
<body>
<h3>404 Not Found</h3>
<p>The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable</p>
</body>
</html>


500 Error Page

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
500 Internal Server Error</title>
<meta name="description" content="The server encountered an unexpected condition which prevented it from fulfilling the request.">
<style type="text/css">
body {background-color:ffffff;background-image:url(http://);background-repeat:no-repeat;background-position:top left;background-attachment:fixed;}
h3{font-family:Arial;color:000000;}
p {font-family:Arial;font-size:14px;font-style:normal;font-weight:normal;color:000000;}
</style>
</head>
<body>
<h3>500 Internal Server Error</h3>
<p>The server encountered an unexpected condition which prevented it from fulfilling the request.</p>
</html>

Obviously, these pages are not all prettied up but they do illustrate what I am trying to explain. Fire up curl and test using curl --verbose http://localhost:8080/bad and you can see that you now get the markup for your custom 404 page back.

This article should hopefully serve as a springboard to get you going. You might want to speak with one of your designers/developers if necessary in order to get custom branded error pages or if your application already has some deployed, you might want to promote them into the ROOT web application.

A loosely-related Part 3, which is JBoss-specific, deals with suppressing the X-Powered-By header returned by JBoss.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01156fbc6fe6970c01157228822f970b

Listed below are links to weblogs that reference Tomcat/JBoss: Suppressing Server Identity - Part Two:

Comments