Bug 48006 - Implement the header X-Powered-By suggested by the servlet specification
Implement the header X-Powered-By suggested by the servlet specification
Status: RESOLVED FIXED
Product: Tomcat 6
Classification: Unclassified
Component: Catalina
6.0.20
All All
: P2 enhancement (vote)
: default
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2009-10-15 11:34 UTC by olivier dupuy
Modified: 2010-03-06 17:35 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description olivier dupuy 2009-10-15 11:34:52 UTC
Hello,

The servlet 2.5 specification at 
http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html
suggests in section "SRV.5.2 Headers"

...
It is recommended that containers use the X-Powered-By HTTP header to
publish its implementation information. The field value should consist of one or
more implementation types, such as "Servlet/2.4". Optionally, the
supplementary information of the container and the underlying Java platform can
be added after the implementation type within parentheses. The container should
be configurable to suppress this header.
Here’s the examples of this header.
X-Powered-By: Servlet/2.4
X-Powered-By: Servlet/2.4 JSP/2.0 (Tomcat/5.0 JRE/1.4.1)
...

This behavior is not implemented in Tomcat 6.0.20.
To make it totally clear, may I suggest to return the precise Tomcat and JVM version with all the digits and the vendor such as Tomcat/5.5.28 JRE/SUN/1.5.0_12-b04)

Having this headers helps a lot the development team to determine what is really running his application in test or production w/o asking to the maintenance guy who is either often unreachable or not able to answer (YES).

Provide the option to remove the header through the configuration (file) or through programming (see related bugs 48004 and 48005).

The servlet 3.0 specification at
http://jcp.org/aboutJava/communityprocess/pfd/jsr315/index.html
in the same section "SRV.5.2 Headers" says the same but I did not test for it in Tomcat 7.

Thanks

Olivier
Comment 1 Tim Funk 2009-10-15 11:41:34 UTC
This is already available in conf/web.xml - default is off since its a waste of bandwidth and a security hole. (information disclosure)
Comment 2 olivier dupuy 2009-10-15 12:01:07 UTC
True that it's there in web.xml and even in the 5.5 version.
I agree that it is a security hole IN PRODUCTION but for a development and test environment this is not a concern.

Moreover you do not have the precise Tomcat version and the precise JVM version

You have this header
Server	Apache-Coyote/1.1
and this one
X-Powered-By	JSP/2.1

This should be like IMHO to be really useful something such as
Server	Apache-Coyote/1.1
X-Powered-By	JSP/2.1 Tomcat/5.5.28 JRE/SUN/1.5.0_12-b04)

And if you consider this to be a security hole then the the server header is also one and should be banned too for the same reasons.

Sorry to insist but the operation teams are not always what they should be and this information saves time for some development teams like mine.

I am perfectly OK with a default value of "false" in web.xml to not show the header for the reasons mentioned by Tim.

Thanks to consider my point of view

Olivier
Comment 3 Mark Thomas 2009-12-31 02:47:58 UTC
Note that you can modify the server header to display anything you want to.

The updated X-Powered-By header has been fixed in trunk and proposed for 6.0.x
Comment 4 Konstantin Kolinko 2010-03-06 17:35:29 UTC
Implemented in 6.0 in r896389, is in 6.0.24 onwards.