隐藏JSF应用中的HTTP Header信息

 

对于JSF的应用，你可能会在HTTP的头信息中看到这样的字样：

Server : Apache/2.0.61 (Unix)
X-Powered-By : JSF/1.2

让用户知道这些消息没有太大意义，而且可能造成安全漏洞。需要屏蔽的话可以参考以下步骤：

隐藏Server信息：在apache里控制的,在httpd.conf里加入一行

    ServerTokens Prod

隐藏X-Powered-By：在web.xml中加入：

 

<context-param>
    <param-name>com.sun.faces.sendPoweredByHeaderparam-name>
    <param-value>falseparam-value>
context-param>

com.sun.faces.sendPoweredByHeader false

 

对于JBoss，需要找到这个文件：/server/default/deploy/jboss-web.deployer/conf/web.xml，然后加入以下代码：

 

<filter>
      <filter-name>CommonHeadersFilterfilter-name>
      <filter-class>org.jboss.web.tomcat.filters.ReplyHeaderFilterfilter-class>
      <init-param>
         <param-name>X-Powered-Byparam-name>
         <param-value>Servlet 2.4; JBoss-4.2.0.GA (build:
SVNTag=JBPAPP_4_2_0_GA date=200706281411)/Tomcat-5.5param-value>
      init-param>
   filter>
↓
   <filter>
      <filter-name>CommonHeadersFilterfilter-name>
      <filter-class>org.jboss.web.tomcat.filters.ReplyHeaderFilterfilter-class>
   filter>

CommonHeadersFilter org.jboss.web.tomcat.filters.ReplyHeaderFilter X-Powered-By Servlet 2.4; JBoss-4.2.0.GA (build: SVNTag=JBPAPP_4_2_0_GA date=200706281411)/Tomcat-5.5 ↓ CommonHeadersFilter org.jboss.web.tomcat.filters.ReplyHeaderFilter

 

 

 

转载自 http://www.ondev.net/post/show/585