Removing Tomcat version from error pages

The default error page in my tomcat has the version of tomcat on it when it displays. It is a finding on my security audit that the version should not be displayed. I have updated the web.xml to have the xpoweredby set to false, but it still shows up. Anyone have another thought on removing the tomcat version string from the tomcat error pages?

You can configure your own error page(s) in the deployment descriptor. That's really the only way to exert complete control over what gets displayed.

Perfect I was hoping for something like that, can you tell me where I would do that? I am new to using Tomcat and want to make sure to not break anything.
Thanks

It's nothing specific to Tomcat, but part of the Servlet specification.

To get you started, here's an example snippet from one of my web apps. You can also configure error pages for specific exceptions. <servlet-mapping> <servlet-name>ErrorHandler</servlet-name> <url-pattern>/errorHandler</url-pattern> </servlet-mapping> <error-page> <error-code>403</error-code> <location>/errorHandler</location> </error-page> <error-page> <error-code>404</error-code> <location>/errorHandler</location> </error-page> <error-page> <error-code>500</error-code> <location>/errorHandler</location> </error-page>

The error handling servlet gathers all the error information that it can, produces a log entry for debug use, and then forwards to a JSP page that's branded as appropriate for the app and shows only what information is deemed appropriate.

Sometimes, that's not much as end users don't need to see things like stack traces. For example, if you get a 404 in my implementation of the game BlackBox™, you get this.

I just checked the schema for web.xml and it appears that you can define a generic error-page by omitting both error-code and exception-type elements, which would ensure that unexpected errors didn't expose the info that you wish to keep hidden.

Unfortunately, that's an inference based on what makes the web.xml valid XML rather than a stated property. so I recommend experimenting. Let us know what you find!