Hi Cris,

try to add following to your web.xml
<error-page>
    <error-code>404</error-code>               <!-- HTTP status code -->
    <error-page>/error404.html</error-page>    <!-- static page, servlet
URL or JSP -->
</error-page>
regards
Leon


On Wed, May 2, 2018 at 9:27 PM, Berneburg, Cris J. - US <cberneb...@caci.com
> wrote:

> We are getting dinged by a vulnerability scan for the default not-found
> error page being returned by Tomcat for a Status 404.
>
> On my dev server when requesting an invalid URL, Tomcat returns a Status
> 404 page that displays the Tomcat version.  Right, I need to do something
> about that.
>
> However, I can't find where the error-page for 404 is defined.  It's not
> defined in:
> - webapps/ROOT/WEB-INF/web.xml
> - conf/web.xml
> - conf/server.xml
> - conf/context.xml
>
> Also, I can't find a notFound or error page either.
>
> How do I get rid of or override the default error / 404 / not-found page
> if I can't find it or where it is currently defined?  Also, how is Tomcat
> returning the default 404 error page if it does not exist?  I hope it's not
> hardcoded in a servlet response.
>
> FYI, we're going to remove the ROOT, docs, and examples folders to
> mitigate other scan findings.
>
> And we're using Tomcat 6.0.37 (ahem).
>
> --
> Cris Berneburg
> CACI Lead Software Engineer
>
>

Reply via email to