tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <>
Subject Re: ErrorValve enhancement
Date Wed, 09 Apr 2014 17:36:50 GMT

for this kind of reason we included in tomee

would be great to get it in tomcat OOTB.

Romain Manni-Bucau
Twitter: @rmannibucau

2014-04-09 18:36 GMT+02:00 Nick Bunn <>:
> Good Day,
> As i'm sure you are all aware when the default error valve returns its
> report it publishes the tomcat version and some other troubleshooting data.
> This of course breaks one of my securities teams rules and also is published
> as a item that needs to be remediated when hardening tomcat(OWASP -
> ). When using the OWASP solution of replacing the
> file it can and will break tools/code that uses that
> information(in my case our deployment agent). The other two solutions are to
> create our own valve and just change it to the default error valve or
> override the status code at the HTTPD server(which broke our JSON and SOAP
> requests that were providing valid 4XX and 5XX). That being said why not
> just have the capability to disable this information in the current error
> valve? This way we are not requiring users to override there
> or create some customer error valve they will have to
> maintain. Thoughts?
> Attached is the a simple patch to version 7.0.x. Can easily be ported to
> 8.0.x as not much as changed. You would then just add the below to your
> server.xml
> <Valve className="org.apache.catalina.valves.ErrorReportValve"
> showReport="false" showServerInfo="false" />
> Thanks,
> Nick Bunn
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message