Win a copy of Practical SVG this week in the HTML/CSS/JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Removing Tomcat version from error pages

 
Cliff Jefferson
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The default error page in my tomcat has the version of tomcat on it when it displays. It is a finding on my security audit that the version should not be displayed. I have updated the web.xml to have the xpoweredby set to false, but it still shows up. Anyone have another thought on removing the tomcat version string from the tomcat error pages?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65535
108
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can configure your own error page(s) in the deployment descriptor. That's really the only way to exert complete control over what gets displayed.

 
Cliff Jefferson
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Perfect I was hoping for something like that, can you tell me where I would do that? I am new to using Tomcat and want to make sure to not break anything.
Thanks
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65535
108
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's nothing specific to Tomcat, but part of the Servlet specification.

To get you started, here's an example snippet from one of my web apps. You can also configure error pages for specific exceptions.

The error handling servlet gathers all the error information that it can, produces a log entry for debug use, and then forwards to a JSP page that's branded as appropriate for the app and shows only what information is deemed appropriate.

Sometimes, that's not much as end users don't need to see things like stack traces. For example, if you get a 404 in my implementation of the game BlackBox™, you get this.
 
Tim Holloway
Bartender
Posts: 18419
60
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I just checked the schema for web.xml and it appears that you can define a generic error-page by omitting both error-code and exception-type elements, which would ensure that unexpected errors didn't expose the info that you wish to keep hidden.

Unfortunately, that's an inference based on what makes the web.xml valid XML rather than a stated property. so I recommend experimenting. Let us know what you find!
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!