Chameleon GlassFish (X-Powered-By: and Server:)

September 7, 2010 § 3 Comments


 With Grizzly at the heart of GlassFish since 2.x and offering great HTTP performance, I see a number of users simply go without any front web server (when network topologies allows for this). This would mean that GlassFish can be exposed directly on the internet. For security reasons (trying not to help hackers), it may be a good idea to not tell the world which server you are using. This is what a user has been recently asking on the forums.

By default, GlassFish returns two HTTP headers that may disclose that GlassFish is the server used:

% curl -I http://localhost:8080
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1

Both headers can be changed with GlassFish.
Read on to see how to do so with version 3.0.1 and beyond.

Let’s start with “X-Powered-By“. To change this you need to set the xpowered-by HTTP listener property to false (default is true to conform to the Servlet specification). To change this you can use the admin console (Configuration > Network Config > Network Listeners > http-listener-1 > HTTP). But you could also do it the CLI way using the dotted notation in a single command :

asadmin set server.network-config.protocols.protocol.http-listener-1.http.xpowered-by=false

You can also point your HTTP client to this RESTful admin URL: http://localhost:4848/management/domain/configs/config/server-config/network-config/protocols/protocol/http-listener-1/http and emit a POST to change the xpowered-by property. With no restart required, you should now see the following complete HEAD response (no more X-Powered-By) :

% curl -I http://localhost:8080
HTTP/1.1 200 OK
Server: GlassFish Server Open Source Edition 3.0.1
Accept-Ranges: bytes
ETag: W/"5212-1259789398000"
Last-Modified: Wed, 02 Dec 2009 21:29:58 GMT
Content-Type: text/html
Content-Length: 5212
Date: Tue, 07 Sep 2010 10:02:27 GMT

Update: I’m also reminded that you can control the presence of this header X-Powered-By using web.xml for a per-application setting or using the domain/config/default-web.xml file. In both cases, you’ll need to set the servlet’s xpoweredBy init-param to false.

The second part, maybe the most important, is the “Server” HTTP header which can be both modified or removed altogether. This involves adding a Java property which means that changes made will require a server restart. The magic property is called product.name. Again, you could use the admin console to change this (Configuration > JVM Settings > JVM Options) or go the command-line route:

% asadmin create-jvm-options -Dproduct.name="My little server"
% asadmin restart-domain
Successfully restarted the domain

Command restart-domain executed successfully.
% curl -I http://localhost:8080
HTTP/1.1 200 OK
Server: My little server
Accept-Ranges: bytes
ETag: W/"5212-1259789398000"
Last-Modified: Wed, 02 Dec 2009 21:29:58 GMT
Content-Type: text/html
Content-Length: 5212
Date: Tue, 07 Sep 2010 10:20:16 GMT

Finally you can remove the “Server” header altogether by setting the property to an empty string :

% asadmin create-jvm-options -Dproduct.name=""
% asadmin restart-domain
Successfully restarted the domain
Command restart-domain executed successfully.
% curl -I http://localhost:8080
HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"5212-1259789398000"
Last-Modified: Wed, 02 Dec 2009 21:29:58 GMT
Content-Type: text/html
Content-Length: 5212
Date: Tue, 07 Sep 2010 10:20:36 GMT

About these ads

§ 3 Responses to Chameleon GlassFish (X-Powered-By: and Server:)

  • Torben says:

    Great post!
    Another question comes into my mind if I use GF standalone: what is the best solution to run it on port 80?

  • erik says:

    Are there any cons to this?

  • Alexis MP says:

    @Torben, modulo OS privileges, you can directly configure the default http listener to server requests on port 80 rather than the default 8080
    @Erik, the biggest Con is that I will no longer be able to point to your website as an example of a successful GlassFish deployment!

What’s this?

You are currently reading Chameleon GlassFish (X-Powered-By: and Server:) at Bistro! 2.0.

meta

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: