Return-Path: 
 <dev-return-148858-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-dev-archive@www.apache.org
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 78E4511648
	for <apmail-tomcat-dev-archive@www.apache.org>;
 Wed,  9 Apr 2014 17:37:41 +0000 (UTC)
Received: (qmail 82159 invoked by uid 500); 9 Apr 2014 17:37:37 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 81782 invoked by uid 500); 9 Apr 2014 17:37:37 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 81773 invoked by uid 99); 9 Apr 2014 17:37:36 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Apr 2014 17:37:36 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of rmannibucau@gmail.com
 designates 209.85.192.51 as permitted sender)
Received: from [209.85.192.51] (HELO mail-qg0-f51.google.com) (209.85.192.51)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Apr 2014 17:37:33 +0000
Received: by mail-qg0-f51.google.com with SMTP id q108so2644894qgd.24
        for <dev@tomcat.apache.org>; Wed, 09 Apr 2014 10:37:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type;
        bh=ScKYLspvrFpaFzFauugopzkMiKXHg5tZHwth8r7+dp8=;
        b=OYaIPP/Bpf7PHa+WK6fiEuGqDk0/Jn1dMO6shqrv2w376qi+ydOYVt0/RzF1Tes5hW
         KRjnASR9D9pthssjROitwbu7Tz+yjQkPRC4bIwSQXg948flh/sfwxZKiNGPaQkUJpUTW
         iwfKyXbtnhw5wHbJJhozkHvBc3rlguqcNxmp1cH2TOT4rWZaW1PayY3/CTP3UY1vdcT7
         EFL0/tnsGfSBDeCwK5shrKx6tV2a2dwdrKV+gbnohebMpeXMcqgvj+NG59hPmVOTahYD
         QkcwRwJFWp6nXq/sQHKIgBdJLa+N7YMq//t6+9jLznOn9z2ImCdZTNGWDtJ7jdJPjson
         09KQ==
X-Received: by 10.224.92.75 with SMTP id q11mr14519029qam.56.1397065030780;
 Wed, 09 Apr 2014 10:37:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.96.49.133 with HTTP; Wed, 9 Apr 2014 10:36:50 -0700 (PDT)
In-Reply-To: 
 <CAKCbygOV-KaAAJHo+MQ4dKk95+fNY2RL1T6njVn=fA0uFvLs5g@mail.gmail.com>
References: 
 <CAKCbygOV-KaAAJHo+MQ4dKk95+fNY2RL1T6njVn=fA0uFvLs5g@mail.gmail.com>
From: Romain Manni-Bucau <rmannibucau@gmail.com>
Date: Wed, 9 Apr 2014 19:36:50 +0200
Message-ID: 
 <CACLE=7O6=EFcihVeiQEXybP-KJtNVy0KusvV5ZT_0HveOSfr6g@mail.gmail.com>
Subject: Re: ErrorValve enhancement
To: Tomcat Developers List <dev@tomcat.apache.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Checked: Checked by ClamAV on apache.org

Hi

for this kind of reason we included in tomee
http://svn.apache.org/repos/asf/tomee/tomee/trunk/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/valve/MinimumErrorReportValve.java

would be great to get it in tomcat OOTB.

Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau



2014-04-09 18:36 GMT+02:00 Nick Bunn <thrain123@gmail.com>:
> Good Day,
> As i'm sure you are all aware when the default error valve returns its
> report it publishes the tomcat version and some other troubleshooting data.
> This of course breaks one of my securities teams rules and also is published
> as a item that needs to be remediated when hardening tomcat(OWASP -
> goo.gl/Zr9xso ). When using the OWASP solution of replacing the
> serverInfo.properties file it can and will break tools/code that uses that
> information(in my case our deployment agent). The other two solutions are to
> create our own valve and just change it to the default error valve or
> override the status code at the HTTPD server(which broke our JSON and SOAP
> requests that were providing valid 4XX and 5XX). That being said why not
> just have the capability to disable this information in the current error
> valve? This way we are not requiring users to override there
> serverinfo.properties or create some customer error valve they will have to
> maintain. Thoughts?
>
> Attached is the a simple patch to version 7.0.x. Can easily be ported to
> 8.0.x as not much as changed. You would then just add the below to your
> server.xml
>
> <Valve className="org.apache.catalina.valves.ErrorReportValve"
> showReport="false" showServerInfo="false" />
>
>
> Thanks,
> Nick Bunn
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org