Hello Martin and John, Any update on this?
Regards with Thanks, Fang On Thu, 4 Jun 2020, 09:48 FANG YAP, <fangg...@gmail.com> wrote: > Hi Martin, > > Thank you for your email. > > In my application's web.xml, there is already a default <error-page> > error-code that defines 404 (../error_404.jsp), 403 (../error_403.jsp), 500 > (../error_500.jsp) and java.lang.Throwable (.. /system Error.jsp) > > where as the tomcat web.xml defines the previous error page on exception. > > Do I have to declare the same error code in the application's web.xml in > the tomcat web.xml? > > Hi John, > > Thank you for your reply. > > In the tomcat server.xml, there is already a Valve tag like <Valve > className="org.apache.catalina.AccessLogValve" pattern=... /> under <Host > name="local"... > > > For your resolution is to include another valve tag below the access log > valve? > > Regards with Thanks, > > Fang > > On Thu, 4 Jun 2020, 06:03 John Palmer, <johnpalm...@gmail.com> wrote: > >> As the concern is that an erro page will show the tomcat version/patch >> info >> AND a stacktrace,\ >> I found the easier/better? solution to be adding ..... showReport="false" >> showServerInfo="false" >> to the Error Report Valve section at the bottom of server.xml (and addin >> or >> or uncommenting that valve section...): >> >> <Valve className="org.apache.catlina.valves.ErrorReportValve" >> showReport="false" showServerInfo="false" /> >> >> On Wed, Jun 3, 2020 at 5:40 AM Martin Grigorov <mgrigo...@apache.org> >> wrote: >> >> > On Wed, Jun 3, 2020 at 11:14 AM FANG YAP <fangg...@gmail.com> wrote: >> > >> > > Hello Martin, >> > > >> > > It is to say that I have to declare something like this in web.xml >> file? >> > > >> > > <error-page> >> > > <exception-type>java.lang.Exception</exception-type> >> > > <location>/error.jsp</location> >> > > >> > >> > Better use the error-code ones from the StackOverflow link I gave you. >> > Your approach will cover only error code 500 (for Exceptions, but not >> for >> > java.lang.Error) and won't cover NotFound (404) and the others. >> > I guess Nessus won't be totally happy with your approach. >> > >> > >> > > >> > > Regards with Thanks, >> > > >> > > Fang >> > > >> > > On Wed, 3 Jun 2020, 15:56 Martin Grigorov, <mgrigo...@apache.org> >> wrote: >> > > >> > > > Hi, >> > > > >> > > > On Wed, Jun 3, 2020 at 5:53 AM FANG YAP <fangg...@gmail.com> wrote: >> > > > >> > > > > Resend >> > > > > >> > > > > On Wed, 3 Jun 2020, 10:10 FANG YAP, <fangg...@gmail.com> wrote: >> > > > > >> > > > > > Hi Tomcat, >> > > > > > >> > > > > > Nessus scanned and found issue in Apache Tomcat Port 8080 >> > > > > > >> > > > > > Port: 8080 >> > > > > > Plugin Text: >> > > > > > The server is not configured to return a custom page in the >> event >> > of >> > > a >> > > > > > client requesting a non-existent resource. This may result in a >> > > > potential >> > > > > > disclosure of sensitive information about the server to >> attacker. >> > > > > > >> > > > > > Apache Tomcat Version: 8.5.43 >> > > > > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest >> > > 1.8.0_251) >> > > > > >> > > > >> > > > To configure custom error pages and thus to suppress this issue you >> > can: >> > > > 1) use ErrorReportValve >> > > > < >> > > > >> > > >> > >> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve >> > > > > >> > > > >> > > > 2) configure error-page elements in your application web.xml - >> > > > https://stackoverflow.com/a/7066536/497381 >> > > > >> > > > >> > > > > > >> > > > > > Your assistance would be greatly appreciated >> > > > > > >> > > > > > Rgs, >> > > > > > Fang >> > > > > > >> > > > > >> > > > >> > > >> > >> >
