Friday Nov 04, 2011

Suppress ADF version number in HTML pages


I was recently working with a partner that was undergoing a security hardening project with their ADF-based application. The issue was too much information was being returned by the ADF server in the HTML pages. Information that would be valuable to hackers or anyone profiling a system. Example of this information is here:








</body><!--Created by Oracle ADF (ADF Faces API -
11.1.1.4.0/ADF Faces Implementation - 11.1.1.4.0, RCF-revision: 39851 (branch:
faces-1003-11.1.1.4.0, plugins: 1.2.3), Trinidad-revision: 1051544 (branch:
1.2.12.3-branch, plugins: 1.2.10), build: adf-faces-rt_101221_0830, libNum:
0355 powered by JavaServer Faces API 1.2 Sun Sep 26 03:21:43 EDT 2010 
(1.2)), accessibility (mode:null, contrast:standard, size:medium),
skin:customSkin.desktop (CustomSkin)--></html>
















This is controlled by a parameter in web.xml


  <context-param>

    <description>Whether the 'Generated by...' comment at
the bottom of ADF Faces HTML pages should contain version number
information.</description>

   
<param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>

    <param-value>true</param-value>

  </context-param>





And viola! Special thanks to the ADF PM that hooked me up with the great information!


Chuck Speaks



http://twitter.com/ChuckAtOracle

About

Chuck Speaks is a Senior Sales Consultant in the North American ISV/OEM Sales organization. A former member of Oracle Platform Technology Solutions (PTS), he is focused on the Oracle Fusion Middleware stack and database technologies as well as Fusion Applications architecture.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today