mardi sept. 07, 2010

Chameleon GlassFish (X-Powered-By: and Server:)

This blog has moved to alexismp.wordpress.com
Follow the link for the most up-to-date version of this blog entry.

With Grizzly at the heart of GlassFish since 2.x and offering great HTTP performance, I see a number of users simply go without any front web server (when network topologies allows for this). This would mean that GlassFish can be exposed directly on the internet. For security reasons (trying not to help hackers), it may be a good idea to not tell the world which server you are using. This is what a user has been recently asking on the forums.

By default, GlassFish returns two HTTP headers that may disclose that GlassFish is the server used:

% curl -I http://localhost:8080
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1

Both headers can be changed with GlassFish. Read on to see how to do so with version 3.0.1.

Let's start with "X-Powered-By". To change this you need to set the xpowered-by HTTP listener property to false (default is true to conform to the Servlet specification). To change this you can use the admin console (Configuration > Network Config > Network Listeners > http-listener-1 > HTTP). But you could also do it the CLI way using the dotted notation in a single command :

asadmin set server.network-config.protocols.protocol.http-listener-1.http.xpowered-by=false

You can also point your HTTP client to this RESTful admin URL: http://localhost:4848/management/domain/configs/config/server-config/network-config/protocols/protocol/http-listener-1/http and emit a POST to change the xpowered-by property. With no restart required, you should now see the following complete HEAD response (no more X-Powered-By) :

% curl -I http://localhost:8080
HTTP/1.1 200 OK
Server: GlassFish Server Open Source Edition 3.0.1
Accept-Ranges: bytes
ETag: W/"5212-1259789398000"
Last-Modified: Wed, 02 Dec 2009 21:29:58 GMT
Content-Type: text/html
Content-Length: 5212
Date: Tue, 07 Sep 2010 10:02:27 GMT

Update: I'm also reminded that you can control the presence of this header X-Powered-By using web.xml for a per-application setting or using the domain/config/default-web.xml file. In both cases, you'll need to set the servlet's xpoweredBy init-param to false.

The second part, maybe the most important, is the "Server" HTTP header which can be both modified or removed altogether. This involves adding a Java property which means that changes made will require a server restart. The magic property is called product.name. Again, you could use the admin console to change this (Configuration > JVM Settings > JVM Options) or go the command-line route:

% asadmin create-jvm-options -Dproduct.name="My little server"
% asadmin restart-domain
Successfully restarted the domain
Command restart-domain executed successfully.
% curl -I http://localhost:8080
HTTP/1.1 200 OK
Server: My little server
Accept-Ranges: bytes
ETag: W/"5212-1259789398000"
Last-Modified: Wed, 02 Dec 2009 21:29:58 GMT
Content-Type: text/html
Content-Length: 5212
Date: Tue, 07 Sep 2010 10:20:16 GMT

Finally you can remove the "Server" header altogether by setting the property to an empty string :

% asadmin create-jvm-options -Dproduct.name=""
% asadmin restart-domain
Successfully restarted the domain
Command restart-domain executed successfully.
% curl -I http://localhost:8080
HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"5212-1259789398000"
Last-Modified: Wed, 02 Dec 2009 21:29:58 GMT
Content-Type: text/html
Content-Length: 5212
Date: Tue, 07 Sep 2010 10:20:36 GMT

About

This blog has moved

Alexis Moussine-Pouchkine's Weblog

GlassFish - Stay Connected

Search

Archives
« avril 2014
lun.mar.mer.jeu.ven.sam.dim.
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today
Blogroll

No bookmarks in folder

News

No bookmarks in folder