tags:

views:

235

answers:

3

Could somebody please let me know which of the following two approaches is recommended and why :

  • Make the necessary changes to ServerInfo.properties

  • Define "error-page" in web.xml

+2  A: 

I'd make the changes to ServerInfo.properties regardless - there may be other places to get the ServerInfo.properties version information than only error pages. (Maybe someone leaves up the default home page, samples, etc. and these may have it.)

Define error pages in your web app if you want - a quicker option may be to globally change your default error pages by specifying it in CATALINA_HOME/conf/web.xml - this will use your new specified error pages by default even if a developer forgets to specify error pages for their app.

Nate
+1  A: 

Changing ServerInfo.properties is the most secure. If you for example have deployed a webapp on http://example.com/contextname, one could still get a 404 by http://example.com/blah or so. One could also get it programmatically by using a robot to Send a request with an unsupported method (which returns 503 error page).

That said, I honestly don't see any valid reasons to hide Tomcat version from it. This information actually adds no value for "normal users". It also doesn't stop any hacker from trying everything to get it down or exploit security holes (if there were any...). They don't worry about whether the version is displayed or not. For the "normal users" I would still use a custom error page which is a bit more integrated in the style of the webapp in question so that it is less "scary" and thus improves user experience.

BalusC
A: 

Thank you. That really helped. I think I will go with the option of globally changing the default error pages by specifying them in CATALINA_HOME/conf/web.xml.

Thanks, Sandhya

Hi! This should have been posted as a **comment** instead of an **answer**. Click `add comment` to post commentson answers. If you like the answer, you should upvote the answer pressing the *up arrow* on the left hand side. The answer which *actually* helped most in solving the problem (regardless of the amount votes it got), should be marked to *accepted* by pressing the checkmark on the left hand side.
BalusC