On 22/02/2023 17:10, James H. H. Lampert wrote:
We've got a customer -- the same one that was our first test of a
working RemoteAddrValve -- whose security consultant is complaining that
a potential intruder can confirm the *existence* of the manager context
(because it returns a 403, as opposed to, say, a 404).
Any ideas?
Fire them and hire a security consultant with a proper understanding of
risk?
Alternatively, you can use denyStatus="404" on the RemoteAddrValve. That
attribute should be available in all versions of all currently supported
Tomcat releases (it was added back in 2011). You can set it to any value
valid for use with HttpServletResponse.sendError(int).
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
