web container security hardening

mclaugs Aug 29, 2011 11:35 AM

I am starting to work with JBoss 7 and I am tryinbg to figure out how to do some web container hardening so the feature requests can be submitted if the features are currently not available as there items are required before this version can be supported in my environment.

1) Removing or nulling out the value of the "Server" http header. This was handled before by adding the server=" " attribute to the jbossweb server.xml

2) Disabling HTTP methods at a URL level

ie Disable PUT, TRACE, DELETE, OPTIONS for the "/" but allowing it for "/<application name>

Tjhis used to be a configuration in the web.xml of jbossweb

1. Re: web container security hardening

mclaugs Sep 1, 2011 3:08 PM (in response to mclaugs)

Would this question fit better on the developer list?
Actions
2. Re: web container security hardening

emuckenhuber Sep 1, 2011 5:07 PM (in response to mclaugs)

Basically everything which can be configured should be in the schema of the web subsystem (docs/schema/jboss-as-web_1_0.xsd). Which basically means that what are you trying to do is currently not supproted. Perhaps you want to start a discussion in the jboss-web forums here: http://community.jboss.org/en/jbossweb
Actions
3. Re: web container security hardening

mclaugs Sep 5, 2011 5:43 PM (in response to emuckenhuber)

Wonderful thank you I will post a message like this on the jbossweb list.
Actions

Go to original post