Hide Tomcat Version From Default Error Page
Contents |
number from the error pages? Answer: Apache Tomcat server is for Java Servlet and JSP. When you call a page that doesn't exist in the tomcat server, or
Tomcat Hardening Checklist
when an existing page returns an error, the tomcat server will display the version securing tomcat 8 number as shown below. This might be a security risk, especially if you are running an old Tomcat server that has disable tomcat manager some known exploits. For some reason, if you can't upgrade the Tomcat server to the latest version, and you just want to hide the version number from the error pages, do the steps mentioned
Tomcat Showserverinfo
below. Go to $CATALINA_HOME/lib, and create the org/apache/catalina/util directory under here. In the following example, /home/tomcat is the $CATALINA_HOME cd /home/tomcat/lib mkdir -p org/apache/catalina/util Go to this newly created directory, and create a ServerInfo.properties file, and add the server.info parameter as shown below. Set the value of this parameter to anything you like. cd org/apache/catalina/util $ vi ServerInfo.properties server.info=Apache Tomcat Version X Afer this restart the tomcat server.
How To Disable Tomcat Home Page
cd $CATALINA_HOME/bin ./catalina.sh stop ./catalina.sh start Now, if you go the error page, you'll not see the tomcat version number. Instead, you'll see the text you've set for the server.info parameter. After you do the above, if you want to see the Tomcat version number, you can still do it from the command line, using the version.sh script as shown below. $ $CATALINA_HOME/bin/version.sh .. Server version: Apache Tomcat/7.0.35 Server number: 7.0.35.0 .. Tweet >Add your comment If you enjoyed this article, you might also like.. 50 Linux Sysadmin Tutorials 50 Most Frequently Used Linux Commands (With Examples) Top 25 Best Linux Performance Monitoring and Debugging Tools Mommy, I found it! – 15 Practical Linux Find Command Examples Linux 101 Hacks 2nd Edition eBook Awk Introduction – 7 Awk Print Examples Advanced Sed Substitution Examples 8 Essential Vim Editor Navigation Fundamentals 25 Most Frequently Used Linux IPTables Rules Examples Turbocharge PuTTY with 12 Powerful Add-Ons { 10 comments… add one } Sys. student August 15, 2013, 8:39 am How to install tomcat from the beginning on a cPanel server (CentOS 6.x 64-bit with cPanel installed) ? Link John August 15, 2013, 9:37 pm Thanks. How can I do the same thing for Apache webser
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about tomcat default error page hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask
Tomcat Security Manager
Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join tomcat error page them; it only takes a minute: Sign up Which is the best way to mask / hide tomcat version from error pages? up vote 7 down vote favorite 1 Could somebody please let me know which of the following http://www.thegeekstuff.com/2013/08/hide-tomcat-version-number two approaches is recommended and why : Make the necessary changes to ServerInfo.properties Define "error-page" in web.xml tomcat version share|improve this question edited Feb 15 '10 at 17:12 BalusC 684k20824802695 asked Feb 15 '10 at 14:18 user41536 234156 add a comment| 3 Answers 3 active oldest votes up vote 4 down vote I'd make the changes to ServerInfo.properties regardless - there may be other places to get the ServerInfo.properties version information than only error pages. (Maybe someone leaves http://stackoverflow.com/questions/2266475/which-is-the-best-way-to-mask-hide-tomcat-version-from-error-pages up the default home page, samples, etc. and these may have it.) Define error pages in your web app if you want - a quicker option may be to globally change your default error pages by specifying it in CATALINA_HOME/conf/web.xml - this will use your new specified error pages by default even if a developer forgets to specify error pages for their app. share|improve this answer answered Feb 15 '10 at 14:48 Nate 13.2k23250 add a comment| up vote 4 down vote Changing ServerInfo.properties is the most secure. If you for example have deployed a webapp on http://example.com/contextname, one could still get a 404 by http://example.com/blah or so. One could also get it programmatically by using a robot to Send a request with an unsupported method (which returns 503 error page). That said, I honestly don't see any valid reasons to hide Tomcat version from it. This information actually adds no value for "normal users". It also doesn't stop any hacker from trying everything to get it down or exploit security holes (if there were any...). They don't worry about whether the version is displayed or not. For the "normal users" I would still use a custom error page which is a bit more integrated in the style of the webapp in question so that it is less "scary" and thus improves user experience. share|improve this answer edited Feb 16 '10 at 1:17 an
("Apache Tomcat/6.0.20") by somesetting in server.xml / Connector on version 6.0.20.But I have not been able to find any http://grokbase.com/t/tomcat/users/101fm1je78/hide-tomcat-version-from-default-error-page such setting in the docs (like here:http://tomcat.apache.org/tomcat-6.0-doc/config/http.html) or anywhere else.Any ideas?Thanks--MB--View this message in context: http://old.nabble.com/Hide-Tomcat-Version-From-Default-Error-Page-tp27180665p27180665.htmlSent from the Tomcat - User mailing list archive at Nabble.com.---------------------------------------------------------------------To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.orgFor additional commands, e-mail: users-help@tomcat.apache.org reply Tweet Search Discussions Search All Groups users 9 responses Oldest Nested Caldarale, Charles R The paranoid among us should look error page at the server attribute for : http://tomcat.apache.org/tomcat-6.0-doc/config/http.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: Caldarale, Charles R default error page at Jan 15, 2010 at 5:41 pm ⇧ From: massive.boissonSubject: Hide Tomcat Version From Default Error PageI read that I can hide server version ("Apache Tomcat/6.0.20") by somesetting in server.xml / Connector on version 6.0.20.The paranoid among us should look at the server attribute for