Hi for this kind of reason we included in tomee http://svn.apache.org/repos/asf/tomee/tomee/trunk/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/valve/MinimumErrorReportValve.java
would be great to get it in tomcat OOTB. Romain Manni-Bucau Twitter: @rmannibucau Blog: http://rmannibucau.wordpress.com/ LinkedIn: http://fr.linkedin.com/in/rmannibucau Github: https://github.com/rmannibucau 2014-04-09 18:36 GMT+02:00 Nick Bunn <thrain...@gmail.com>: > Good Day, > As i'm sure you are all aware when the default error valve returns its > report it publishes the tomcat version and some other troubleshooting data. > This of course breaks one of my securities teams rules and also is published > as a item that needs to be remediated when hardening tomcat(OWASP - > goo.gl/Zr9xso ). When using the OWASP solution of replacing the > serverInfo.properties file it can and will break tools/code that uses that > information(in my case our deployment agent). The other two solutions are to > create our own valve and just change it to the default error valve or > override the status code at the HTTPD server(which broke our JSON and SOAP > requests that were providing valid 4XX and 5XX). That being said why not > just have the capability to disable this information in the current error > valve? This way we are not requiring users to override there > serverinfo.properties or create some customer error valve they will have to > maintain. Thoughts? > > Attached is the a simple patch to version 7.0.x. Can easily be ported to > 8.0.x as not much as changed. You would then just add the below to your > server.xml > > <Valve className="org.apache.catalina.valves.ErrorReportValve" > showReport="false" showServerInfo="false" /> > > > Thanks, > Nick Bunn > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
