JBoss is a popular open-source Java application server which underwent a major rewrite of its code-base for its latest version 7.x. Of this new branch, only version 7.1.0.Final, released a week ago, is certified for the Java EE 6 Full Profile.
As part of the code rewrite, the configuration settings also got a global overhaul. The settings are now mostly regrouped per mode (standalone or domain) and profile (default, full, ha and full-ha – e.g. standalone/standalone-full.xml).
The default settings for the web server component look as follow:
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:1.1">
[CUT BY COMPASS]
<profile>
[CUT BY COMPASS]
<subsystem xmlns="urn:jboss:domain:web:1.1"
default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http"
socket-binding="http" />
<virtual-server name="default-host"
enable-welcome-root="true">
<alias name="localhost" />
<alias name="example.com" />
</virtual-server>
</subsystem>
[CUT BY COMPASS]
Several hardening steps can be performed, such as:
- Enabling only HTTPS and disabling HTTP
- Disabling the display of source fragment
- Removing the x-powered-by http header
- Disabling the default JBoss 7 welcome pages
The following hardened configuration is therefore a good start for the web server component:
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:1.1">
[CUT BY COMPASS]
<profile>
[CUT BY COMPASS]
<subsystem xmlns="urn:jboss:domain:web:1.1"
default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http"
socket-binding="http"
enabled="false"/>
<configuration>
<jsp-configuration
display-source-fragment="false"
x-powered-by="false"/>
</configuration>
<connector
name="https"
protocol="HTTP/1.1"
socket-binding="https"
scheme="https"
secure="true">
<ssl
name="ssl"
protocol="TLSv1"
password="[CUT BY COMPASS]"
verify-client="false"
cipher-suite="HIGH"
certificate-key-file="${user.home}/.keystore"
ca-certificate-file="${user.home}/.trustedstore"/>
</connector>
<virtual-server name="default-host"
enable-welcome-root="false">
<alias name="localhost" />
<!-- COMMENT THIS SECTION TO DISABLE IT
<alias name="example.com" />
-->
</virtual-server>
</subsystem>
[CUT BY COMPASS]
Documentation relating to these settings can either be found in the XML schema files located in docs/schema/*.xsd or in the online documentation (e.g. about the jsp-configuration element).
Hello , can you give me the solution for removing X-Powered-By :Jsp/2.2 specifically in jboss-as-7.2.0 server. Thanks.
Sure. Visit the JBOSS AS 7.2 Hardening Guidelines page https://docs.jboss.org/author/display/AS72/Hardening%20Guidelines.html and scroll to section “Remove and mask informational headers” which gives an explanation on how to either clean out headers or just overwrite values with custom strings. HTH!