问题
Could somebody please let me know which of the following two approaches is recommended and why :
Make the necessary changes to ServerInfo.properties
Define "error-page" in web.xml
回答1:
The answers are a bit outdated, so: If you're using a tomcat 6 or newer (I've tested on tomcat 7) you can use the ErrorReportValve to achieve the same in a way that is much easier to configure and maintain. Just add the following lines to the Host section of your server.xml (where you should already have the AccessLogValve:
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false"
showServerInfo="false"/>
In this way you are hiding the server info and (because of the optional showReport=false) also the stack traces.
You can read more about this in the Security How To and in the documentation of the Error Report Valve.
回答2:
I'd make the changes to ServerInfo.properties regardless - there may be other places to get the ServerInfo.properties version information than only error pages. (Maybe someone leaves up the default home page, samples, etc. and these may have it.)
Define error pages in your web app if you want - a quicker option may be to globally change your default error pages by specifying it in CATALINA_HOME/conf/web.xml - this will use your new specified error pages by default even if a developer forgets to specify error pages for their app.
回答3:
Changing ServerInfo.properties
is the most secure. If you for example have deployed a webapp on http://example.com/contextname
, one could still get a 404
by http://example.com/blah
or so. One could also get it programmatically by using a robot to Send a request with an unsupported method (which returns 503
error page).
That said, I honestly don't see any valid reasons to hide Tomcat version from it. This information actually adds no value for "normal users". It also doesn't stop any hacker from trying everything to get it down or exploit security holes (if there were any...). They don't worry about whether the version is displayed or not. For the "normal users" I would still use a custom error page which is a bit more integrated in the style of the webapp in question so that it is less "scary" and thus improves user experience.
来源:https://stackoverflow.com/questions/2266475/which-is-the-best-way-to-mask-hide-tomcat-version-from-error-pages