Monday, June 18, 2012

Jetty - Basic Hardening

Jetty by default is shipped with two annoying features that should be turned off in production.

The first one is contexts listing. If you access the root folder, and if there is no special context configured to be a root context, Jetty will display a list of all contexts installed. While it may be nice to see it during the development, it's unnecessary information during production.

The class responsible for displaying this list is org.eclipse.jetty.server.handler.DefaultHandler and it's configured in jetty.xml. setShowContexts to false to turn off the contexts listing.

Actually you may consider to provide your own Hanlder class instead of the DefaultHanlder. The org.eclipse.jetty.server.handler.DefaultHandler is also responsible to display the Jetty's default favicon. It may be configured not to server the favicon at all by setServeIcon(false), but it does not allow to customize the favicon. So if you want to do it, you'll need a custom class.


The second annoying feature is a directory content listing - when you access a directory, the Jetty will generate a page with a list of files located inside. This configuration can be turned off per context: under <Configure class="org.eclipse.jetty.webapp.WebAppContext"> put the following init parameter:

<Call name="setInitParameter">
  <Arg>org.eclipse.jetty.servlet.Default.dirAllowed</Arg>
  <Arg>false</Arg>
</Call>

5 comments:

Alexey said...

Hey, I tried this, but it does not work for me:

2012-11-07 15:34:46.380:WARN::EXCEPTION
java.lang.IllegalStateException: No Method: org.eclipse.jetty.servlet.Default.dirAllowedfalse on class org.mortbay.jetty.webapp.WebAppContext

Alexey said...

I figured our a better way to do this.
Simply add the following in your context .xml:

/etc/webdefault.xml

and the dirAllowed can be then set in webdefault.xml

-Alexey

Alexey said...

shoot ... the xml got hidden here:

[Set name="defaultsDescriptor"][SystemProperty name="jetty.home" default="."/]/etc/webdefault.xml[/Set]

jetty question said...

Actually you may consider to provide your own Hanlder class instead of the DefaultHanlder. The org.eclipse.jetty.server.handler.DefaultHandler is also responsible to display the Jetty's default favicon. It may be configured not to server the favicon at all by setServeIcon(false), but it does not allow to customize the favicon. So if you want to do it, you'll need a custom class.

How does one go about defining a custom class to do this with embedded Jetty? Thanks in advance!

Tarlog said...

What do you call an embedded Jetty? Do you initialize it from code?