Monday, June 18, 2012

Jetty - Basic Hardening

Jetty by default is shipped with two annoying features that should be turned off in production.

The first one is contexts listing. If you access the root folder, and if there is no special context configured to be a root context, Jetty will display a list of all contexts installed. While it may be nice to see it during the development, it's unnecessary information during production.

The class responsible for displaying this list is org.eclipse.jetty.server.handler.DefaultHandler and it's configured in jetty.xml. setShowContexts to false to turn off the contexts listing.

Actually you may consider to provide your own Hanlder class instead of the DefaultHanlder. The org.eclipse.jetty.server.handler.DefaultHandler is also responsible to display the Jetty's default favicon. It may be configured not to server the favicon at all by setServeIcon(false), but it does not allow to customize the favicon. So if you want to do it, you'll need a custom class.


The second annoying feature is a directory content listing - when you access a directory, the Jetty will generate a page with a list of files located inside. This configuration can be turned off per context: under <Configure class="org.eclipse.jetty.webapp.WebAppContext"> put the following init parameter:

<Call name="setInitParameter">
  <Arg>org.eclipse.jetty.servlet.Default.dirAllowed</Arg>
  <Arg>false</Arg>
</Call>