Series eighty-eight JBoss: JBoss security issues - how to hide when the page is displayed on the JBoss web application error message ...

2019 Unicorn Enterprises heavily recruiting engineers Python standard >>>

Outline

Web application errors and other anomalies are usually thrown 403,404,500, web applications deployed on JBoss If you do not consider handling error page, error page when an error occurs as follows:

As it includes two pieces of information on the error page:

• The header displays the version information of JBossWeb
• JBossWeb related display version information page

In the actual production will cause safety problems, such as hackers know the server is JBoss, so search for JBoss-related security vulnerabilities to attack the service. This article demonstrates how to shield this information to avoid possible security attacks.

How to Hide

Our three steps:

First: rewriting org.apache.catalina.valves.ErrorReportValve JBossWeb follows as an example:

package org.jboss.web.values;

import java.io.IOException;
import java.io.Writer;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ErrorReportValve;
import org.apache.catalina.util.RequestUtil;

public class CustomErrorReportValve extends ErrorReportValve {

    protected void report(Request request, Response response, Throwable throwable) {
        int statusCode = response.getStatus();
        if ((statusCode < 400) || (response.getContentCount() > 0)) {
            return;
        }
        String message = RequestUtil.filter(response.getMessage());
        if (message == null) {
            message = "";
        }
        StringBuffer sb = new StringBuffer();
        sb.append("<html><head><title>");
        sb.append(sm.getString("errorReportValve.statusHeader", "" + statusCode, message));
        sb.append("</title>");
        sb.append("<style><!--");
        sb.append(org.apache.catalina.util.TomcatCSS.TOMCAT_CSS);
        sb.append("--></style> ");
        sb.append("</head><body>");
        sb.append("<h1>");
        sb.append(sm.getString("errorReportValve.statusHeader", "" + statusCode, message));
        sb.append("</h1>");
        sb.append("</body></html>");
        try {
            try {
                response.setContentType("text/html");
                response.setCharacterEncoding("utf-8");
            } catch (Throwable t) {
                if (container.getLogger().isDebugEnabled())
                    container.getLogger().debug("status.setContentType", t);
            }
            Writer writer = response.getReporter();
            if (writer != null) {
                // If writer is null, it's an indication that the response has
                // been hard committed already, which should never happen
                writer.write(sb.toString());
            }
        } catch (IOException e) {
            ;
        } catch (IllegalStateException e) {
            ;
        }
    }
}

Second: the rewritten ErrorReportValve, the compiler generates a package jar package, such as here we compiled jar package for CustomErrorReportValve.jar.

Third: Configuring JBoss

JBoss 7 / WildFly 8 configured as follows

1. PlaceCustomErrorReportValve.jar 放置到您应用WEB-INF/lib目录

2.创建WEB-INF/jboss-web.xml，添加<Valve> configuration is as follows:

<jboss-web>
    <valve>
       <class-name>com.redhat.jboss.support.CustomErrorReportValve</class-name>
    </valve>
</jboss-web>

Before JBoss version 7 is configured as follows:

1. willCustomErrorReportValve.jar 放置到 $JBOSS_HOME/server/$PROFILE/lib

2. 编辑$JBOSS_HOME/server/$PROFILE/deploy/jboss-web.deployer/server.xml中Host元素，添加errorReportValveClass属性指向重写的ErrorReportValve如下：

<Host name="localhost" errorReportValveClass="org.jboss.web.values.CustomErrorReportValve" >

隐藏后效果

隐藏后效果如下图所示：











Reproduced in: https: //my.oschina.net/iwuyang/blog/197248