Remy, I don't agree with that at all. For security reasons you always want the option to reveal as little as possible about your system. By default httpd creates headers like:
Server: Apache/1.3.26 (Unix) mod_jk/1.1.0 DAV/1.0.3 mod_ssl/2.8.9 OpenSSL/0.9.6b
Which for a paranoid sysadmin is far too much info to give away. Thankfully you can get rid of them in the httpd configurations (if you want another example look at bind and what that gives away by default). This is exactly the same thing, if the header is to be set in the response (I'm not commenting on the implementation details or wether it should be there), then there must be an option to turn it off.
You're using in your argument the most extreme example ;-)
Here, it's only revealing the technology used. This is very little, and not any more revealing than a ".jsp" extension.
Anyway, I was ok with having that optional. However, I think the implementation provided is bad.
As such, I confirm my -1 for the patch.
Instead, I believe it should be implemented in the following way:
- flag on the connector, with the Servlet header being set in the CoyoteAdapter
- flag in the Jasper options (looking at the presence of another header, and assuming it's the Servlet header is just ugly: how about other implementations which embed Jasper ?); setting the flag only in JspServlet can, however, be considered good enough (however, we should IMO add the header addition in the generated source for consistent results, since my original proposal of using HttpJspBase is not much better than JspServlet)
Remy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
