Servlet spec 2.4 describes what you're looking for in section SRV 9.9.2 with more info in SRV.13.4 on how to configure it. Essentially you're looking for this in web.xml:
<error-page> <error-code>404</error-code> <location>/some/error/page.jsp</location> </error-page> There's also a version for dealing with exceptions: <error-page> <exception-type>java.io.IOException</exception-type> <location>/some/error/page.jsp</location> </error-page> Just make sure you use this at the top of you web.xml file to insure you get spec 2.4 processing: <web-app xmlns="http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3c.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; version="2.4"> --David Paul Singleton wrote: > Peter Crowther wrote: > >>> From: Paul Singleton [mailto:[EMAIL PROTECTED] >> > >>> Is it possible to configure Tomcat (5.5.9) so that a >>> moderately able hacker couldn't figure out what is >>> serving up our web apps? >> > >> It's possible to add the 'server' attribute to the connector definition >> for the HTTP connector; server="BogoMAX v0.1 testing" should anonymise >> the single most obvious piece of information, but pick your own string >> so that when the hacker searches Google for the string they don't find >> this post. See >> http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/http.html for >> details. >> >> It's possible that a more able hacker could also gain information from >> the usual range of specially-crafted invalid TCP packets [so use a >> decent firewall in front of the app server that detects and drops >> these], from traffic analysis of the way in which the app server returns >> data in the case of buffered and unbuffered pages, and likely from other >> techniques that I've not considered. > > > OK, thanks for this. My standalone 5.5.9 setup sends (according to > LiveHTTPHeaders) > > Server: Apache-Coyote/1.1 > > (?) but there's another giveaway: request a non-existent page > and you get > > HTTP Status 404 - /myapp/nonexistent > > type Status report > > message /myapp/nonexistent > > description The requested resource (/myapp/nonexistent) is > not available. > Apache Tomcat/5.5.9 > > so I'm searching the docs for a clue about auppressing this > (nothing in Server Configuration Reference so far). > > But I'm worried that there might be other telltales, e.g. > buried in the code which responds to bad HTTP requests or > whatever? > > I'm not paranoid, but some of our customers are :-) and we > have to be prepared to be reasonably diligent about these > things. So I was hoping that someone, somewhere had already > delved into this? > > Paul Singleton > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
