Is there a way to hide the JBossWeb or Tomcat version in an error page?

Solution Verified - Updated -

Issue

  • The default Tomcat error handler displays the version details of the application server. Is there a way to hide this information from end users. It is possible that a remote attacker could use this information to mount further attacks.
  • I need to remove the jbossweb version from default error page message. Is there an option to change the version string ?

  • We have receive HTTP 401 response. How can we customise this error response? E.g. the response should not contain the jboss version.

  • Can you globally in JBoss EAP 6 configure custom error pages for 404, etc? I know that you can do that per application in web.xml,but this means that each application has to have custom valve. This is not satisfaction.
<error-page>
  <error-code>400</error-code>
  <location>/WEB-INF/errorpage/400.jsp</location>
</error-page>

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 4.x
    • 5.x
    • 6.x
    • 7.x
  • JBoss Enterprise Web Server (EWS)
  • Tomcat
    • 5.5.x
    • 6.x
    • 7.x
    • 8.x
    • 9.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In