-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Fang,
Your application's web.xml will only provide error messages for errors which occur when a request has been issued to your application (e.g. /myapp/doesnotexist -> 404 -> your 404 page). But if you request something outside your web application or make an invalid request, you won't get your application's configured error pages (e.g. /unknownapp/doesnotexist -> 404 -> Tomcat's default error page; e.g. /foo HTTP/7.5 -> 400 Bad Request, not app's error page). So it's always a good idea to completely lock things down, and not just in your own application. - -chris On 6/7/20 21:02, FANG YAP wrote: > Hello Martin and John, > > Any update on this? > > Regards with Thanks, > > Fang > > On Thu, 4 Jun 2020, 09:48 FANG YAP, <fangg...@gmail.com> wrote: > >> Hi Martin, >> >> Thank you for your email. >> >> In my application's web.xml, there is already a default >> <error-page> error-code that defines 404 (../error_404.jsp), 403 >> (../error_403.jsp), 500 (../error_500.jsp) and >> java.lang.Throwable (.. /system Error.jsp) >> >> where as the tomcat web.xml defines the previous error page on >> exception. >> >> Do I have to declare the same error code in the application's >> web.xml in the tomcat web.xml? >> >> Hi John, >> >> Thank you for your reply. >> >> In the tomcat server.xml, there is already a Valve tag like >> <Valve className="org.apache.catalina.AccessLogValve" pattern=... >> /> under <Host name="local"... > >> >> For your resolution is to include another valve tag below the >> access log valve? >> >> Regards with Thanks, >> >> Fang >> >> On Thu, 4 Jun 2020, 06:03 John Palmer, <johnpalm...@gmail.com> >> wrote: >> >>> As the concern is that an erro page will show the tomcat >>> version/patch info AND a stacktrace,\ I found the >>> easier/better? solution to be adding ..... showReport="false" >>> showServerInfo="false" to the Error Report Valve section at the >>> bottom of server.xml (and addin or or uncommenting that valve >>> section...): >>> >>> <Valve className="org.apache.catlina.valves.ErrorReportValve" >>> showReport="false" showServerInfo="false" /> >>> >>> On Wed, Jun 3, 2020 at 5:40 AM Martin Grigorov >>> <mgrigo...@apache.org> wrote: >>> >>>> On Wed, Jun 3, 2020 at 11:14 AM FANG YAP <fangg...@gmail.com> >>>> wrote: >>>> >>>>> Hello Martin, >>>>> >>>>> It is to say that I have to declare something like this in >>>>> web.xml >>> file? >>>>> >>>>> <error-page> >>>>> <exception-type>java.lang.Exception</exception-type> >>>>> <location>/error.jsp</location> >>>>> >>>> >>>> Better use the error-code ones from the StackOverflow link I >>>> gave you. Your approach will cover only error code 500 (for >>>> Exceptions, but not >>> for >>>> java.lang.Error) and won't cover NotFound (404) and the >>>> others. I guess Nessus won't be totally happy with your >>>> approach. >>>> >>>> >>>>> >>>>> Regards with Thanks, >>>>> >>>>> Fang >>>>> >>>>> On Wed, 3 Jun 2020, 15:56 Martin Grigorov, >>>>> <mgrigo...@apache.org> >>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> On Wed, Jun 3, 2020 at 5:53 AM FANG YAP >>>>>> <fangg...@gmail.com> wrote: >>>>>> >>>>>>> Resend >>>>>>> >>>>>>> On Wed, 3 Jun 2020, 10:10 FANG YAP, >>>>>>> <fangg...@gmail.com> wrote: >>>>>>> >>>>>>>> Hi Tomcat, >>>>>>>> >>>>>>>> Nessus scanned and found issue in Apache Tomcat Port >>>>>>>> 8080 >>>>>>>> >>>>>>>> Port: 8080 Plugin Text: The server is not configured >>>>>>>> to return a custom page in the >>> event >>>> of >>>>> a >>>>>>>> client requesting a non-existent resource. This may >>>>>>>> result in a >>>>>> potential >>>>>>>> disclosure of sensitive information about the server >>>>>>>> to >>> attacker. >>>>>>>> >>>>>>>> Apache Tomcat Version: 8.5.43 JDK 8: 1.8.0_212 (Will >>>>>>>> be upgrading to latest soon to latest >>>>> 1.8.0_251) >>>>>>> >>>>>> >>>>>> To configure custom error pages and thus to suppress this >>>>>> issue you >>>> can: >>>>>> 1) use ErrorReportValve < >>>>>> >>>>> >>>> >>> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Rep ort_Valve >>>>>>> >>>>>> >>>>>> >>> 2) configure error-page elements in your application web.xml - >>>>>> https://stackoverflow.com/a/7066536/497381 >>>>>> >>>>>> >>>>>>>> >>>>>>>> Your assistance would be greatly appreciated >>>>>>>> >>>>>>>> Rgs, Fang >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7ek7UACgkQHPApP6U8 pFiuHg//bIqE+rA9bqZRu5enJL37YuOPmDc67KKPgw2rkjWNqkALBXWEvQWlIUVk NDwTa/81u7kCPYKc8E5XT/dDV1yTsLP6i6IH8iit2FqYj9YBruy5j5sgnI7v1hQz B2R5Bt34IwqE7V8FDBDIIbkTVbZC4rUBvMgW5QN5K58wtI7f+nzhjDHtddVys8fn QVebK0Uu/hVzzHdtJ3Q1pU93yzW5fCijizwP3auJ8CfFmhmqNmMMgmdiD9oNgTs+ oIpJzrEeCvLIiCwy6hFATz7GHgrNutJpCYGcGlY0LJIE93dut2IhUQ6LgHi3qzGR IuHwuAkVDJ+BiELxcJKKKIEH5jgIPDJUQcNcSeXY2f4g26grn7kvOgfg5jZjgh3h XYO3R27wSlpytkWt9+6tmY2HCyNJM6CLy/cLyrrlCdmSq4JP53D574i5tweDGJVA 403haWYp1NRSJn44quklb04swbSseLluaYAkiiUDlWtnwUfGaYIANcYeMjc0txxd Otnetzv/OcuiT9hIk4Vn39l+vDEm7eaAHFhUIhxsHzvvijlKmcJqOUby2y/fqB0n kyG6Ik4W9a1+/BPBO9sIDotXC7DUmTD+AXr2nMK4ryWXcqQVJgFbPpY7C+LryDxk sRV2ePxepptJduLiG3GmHDGOrO2Eba0cqh0p/sVDcWyRt+P6+TU= =O3bx -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
