Hi Allan
I would not be too concerned about Server being a standard header - it
is of purely informative purpose anyway so if dropping it can improve
something for the server then it is worth it :-)
Cheers, Sergey
On 30/08/16 04:25, Allan C. wrote:
Hi Sergey,
I've tested the setup you mentioned, cxf-jetty for the sendServerVersion
parameter. It is working as expected, thus I believe for my case that runs
on Karaf, I think the parameter needs to be made available on pax-web
module.
But after reading through a bit here and there, I realized the Server
header is actually a standard that is expected from an HTTP service. Thus,
I've decided to let it be.
My initial intention to hide the Server header was to obfuscate what Server
I am using for potential attackers. I don't know how much it would deter
attackers. It might not be a good strategy, but not sure what else I can
sort of improve on security wise.
Regards,
Allan C.
On Mon, Jul 18, 2016 at 6:14 PM, Allan C. <allan...@gmail.com> wrote:
Noted. Will get you posted.
Regards,
Allan C.
On Mon, Jul 18, 2016 at 5:21 PM, Sergey Beryozkin <sberyoz...@gmail.com>
wrote:
Hi
It is confusing indeed. Perhaps, in Karaf, it is only jetty.xml that can
be used to turn off sending Server headers, or may be jetty.xml default
values override whatever is set in httpj.
Please experiment if you get a chance with a standalone CXF Jetty
endpoint outside of Karaf to see if httpj sendServerVersion can be made
effective.
Cheers, Sergey
On 18/07/16 11:56, Allan C. wrote:
I see. I am using an absolute HTTP address.
I am confused because if it is an SSL 443 port, the
"httpj:tlsServerParameters" configuration seems to be working so I
thought
it is using the httpj configuration.
Regards,
Allan C.
On Mon, Jul 18, 2016 at 3:58 PM, Sergey Beryozkin <sberyoz...@gmail.com>
wrote:
Hi
AFAIK the below configuration is only applicable if you use an absolute
HTTP address in which case an embedded/standalone Jetty instance is
created, if you use a relative address then it is a servlet bound to
Jetty-powered HTTP service and hence jetty.xml is effective
Cheers, Sergey
On 18/07/16 10:39, Allan C. wrote:
Hi Sergey,
I did another test running just jetty9 (configured using jetty.xml) and
fiddled with both sendServerVersion and sendDateHeader parameters. It
seems
to be working as expected.
When I use CXF JAXRS server, the parameter seems to be ignored. Here
is my
CXF jetty configuration part.
<httpj:engine-factory id="httpjEngine">
<httpj:engine port="80" sendServerVersion="false">
<httpj:threadingParameters minThreads="8" maxThreads="16" />
</httpj:engine>
</httpj:engine-factory>
Could you maybe give me a hint on which class/jar I should most
probably
look into in more detail?
JettyHTTPServerEngineConfigType in cxf-rt-transports-http-jetty, but
as I
said it is probably not used
Cheers, Sergey
Regards,
Allan C.
On Mon, Jul 18, 2016 at 3:00 PM, Allan C. <allan...@gmail.com> wrote:
Noted. Thanks for the info!
Regards,
Allan C.
On Mon, Jul 18, 2016 at 2:35 PM, Sergey Beryozkin <
sberyoz...@gmail.com>
wrote:
Hi
On 18/07/16 05:58, Allan C. wrote:
Hi,
I have a jax-rs server configured up and running in a blueprint
container.
All good except a couple of minor tweaks left.
When I test the service, the HTTP headers "Date" appears twice. For
instance:
HTTP/1.1 401 Unauthorized
Date: Mon, 18 Jul 2016 02:50:09 GMT
Date: Mon, 18 Jul 2016 02:50:09 GMT
As it happens I've been looking into this issue last week. It only
happens on Jetty (not on Tomcat) - with Jetty ignoring the fact the
higher-level application sets Date (JAX-RS runtime must set Date) and
setting its own Date.
However, CXF uses HttpServletResponse.addHeader(). This is usually
needed
when a header has multiple values but otherwise
HttpServletResponse.setHeader() is fine - making this minor update
fixed a
duplicate Date header issue on Jetty, CXF 3.1.7 will have it all
sorted.
Content-Length: 0
Server: Jetty(9.2.15.v20160210)
Another is although I've set "sendServerVersion="false", it still
returns
the "Server" header. Any ideas what I've missed? Appreciate your
response.
Not sure, but it is entirely a Jetty configuration issue
Cheers, Sergey
Regards,
Allan C.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
