Compass Security Blog

Offensive Defense

JBoss 7.1 Web Server Hardening

JBoss is a popular open-source Java application server which underwent a major rewrite of its code-base for its latest version 7.x. Of this new branch, only version 7.1.0.Final, released a week ago, is certified for the Java EE 6 Full Profile.

As part of the code rewrite, the configuration settings also got a global overhaul. The settings are now mostly regrouped per mode (standalone or domain) and profile (default, full, ha and full-ha – e.g. standalone/standalone-full.xml).

The default settings for the web server component look as follow:

<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:1.1">
[CUT BY COMPASS]
  <profile>
  [CUT BY COMPASS]
    <subsystem xmlns="urn:jboss:domain:web:1.1"
     default-virtual-server="default-host" native="false">
    <connector name="http" protocol="HTTP/1.1" scheme="http"
     socket-binding="http" />
    <virtual-server name="default-host"
     enable-welcome-root="true">
      <alias name="localhost" />
      <alias name="example.com" />
    </virtual-server>
  </subsystem>
  [CUT BY COMPASS]

Several hardening steps can be performed, such as:

  • Enabling only HTTPS and disabling HTTP
  • Disabling the display of source fragment
  • Removing the x-powered-by http header
  • Disabling the default JBoss 7 welcome pages

The following hardened configuration is therefore a good start for the web server component:

<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:1.1">
[CUT BY COMPASS]
  <profile>
  [CUT BY COMPASS]
    <subsystem xmlns="urn:jboss:domain:web:1.1"
     default-virtual-server="default-host" native="false">
    <connector name="http" protocol="HTTP/1.1" scheme="http" 
     socket-binding="http"
     enabled="false"/>
    <configuration>
      <jsp-configuration
       display-source-fragment="false"
       x-powered-by="false"/>
    </configuration>
    <connector
     name="https"
     protocol="HTTP/1.1"
     socket-binding="https"
     scheme="https"
     secure="true">
      <ssl
       name="ssl"
       protocol="TLSv1"
       password="[CUT BY COMPASS]"
       verify-client="false"
       cipher-suite="HIGH"
       certificate-key-file="${user.home}/.keystore"
       ca-certificate-file="${user.home}/.trustedstore"/>
    </connector>
    <virtual-server name="default-host"
     enable-welcome-root="false">
      <alias name="localhost" />
      <!-- COMMENT THIS SECTION TO DISABLE IT
      <alias name="example.com" />
      -->
    </virtual-server>
  </subsystem>
  [CUT BY COMPASS]

Documentation relating to these settings can either be found in the XML schema files located in docs/schema/*.xsd or in the online documentation (e.g. about the jsp-configuration element).

2 Comments

  1. Nikhil Paramane

    February 4, 2021 at 14:19

    Hello , can you give me the solution for removing X-Powered-By :Jsp/2.2 specifically in jboss-as-7.2.0 server. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *