2013年6月20日 星期四

HOWTO: Remove the X-Powered-By Header in JBoss


This HOWTO was taken directly from a blog post written by me back in February, 2011. It has been edited and expanded to include JBoss Application Server versions up to version 7.1. Adapting them for JBoss Enterprise Application Platform versions should be simply a matter of determining which version of JBoss App Server - Community your version of JBoss EAP is based on.

Before Beginning

JBoss inserts an X-Powered-By header in every HTTP response header. Normally, this includes information like the Servlet specification that JBoss complies with, the JBoss app server version number, a build number, and the version of tomcat or jboss web that the app server utilizes. Some security scanners and professionals like to see this information removed or suppressed—the concern being that attackers may be able to provide more targeted attacks against your servers. Instructions for removing the X-Powered-By header are below but the techniques vary depending upon the version of JBoss you are running.

JBoss 4.2

Suppressing the X-Powered-By header in JBoss 4.2.x can be done by modifying the web.xml file located in${jboss.home}/server/${server.instance.name}/deploy/jboss-web.deployer/conf/.  For example, if you are using the 'default' instance and running jboss 4.2.3 from /usr/local, the path to the configuration file would be /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/conf/.  Locate the Common Filter Configuration line (line 25 on a stock 'default' server instance configuration file) and comment out the lines for the init-paramparam-name, and param-value entries.  Example below
1
2  <filter>
3     <filter-name>CommonHeadersFilter</filter-name>
4     <filter-class>org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
5  
6  
7  
8  
9  </filter>
Restart JBoss and the header will no longer show up.

JBoss 5.0 & JBoss 5.1

The web.xml file that needs to be updated is located in a different location than with JBoss 4,2 but the technique is the same. To suppress the X-Powered-By header under JBoss 5.0, comment out the init-paramparam-name, and param-value line entries from the web.xml located in${jboss.home}server/${server.instance.name}/deployers/jbossweb.deployer/.
01
02  <filter>
03     <filter-name>CommonHeadersFilter</filter-name>
04     <filter-class>
05        org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
06  
07  
08  
09  
10  
Once you have made the configuration changes, restart JBoss so they can take effect.

JBoss 6.0, JBoss 7.0, JBoss 7.1

In order to suppress the X-Powered-By header in JBoss 6, 7, or 7.1, you no longer make changes to web.xml files but instead modify the catalina.properties file included with your server instance. Edit thecatalina.properties file located in${jboss.home}/server/${server.instance.name}/deploy/jbossweb.sar/.  Locate the property named:org.apache.catalina.connector.X_POWERED_BY and set its value to false. Restart the server and you're all set.

沒有留言: