By default Apache Tomcat server version exposed and leads security issue.There are three approaches to hide the Apache Tomcat server version. In which easy-st way is adding one of the attribute in server.xml
How to check Apache Tomcat Server version details
Open command prompt from windows and then go to Apache Tomcat server lib location by using CD command like as follows.
C:\Users\narayanatutorial>cd D:\Tools\Apache\apache-tomcat-6.0.26\lib D:\Tools\Apache\apache-tomcat-6.0.26\lib>java -cp catalina.jar org.apache.catalina.util.ServerInfo
Server version: Apache Tomcat/6.0.26 Server built: March 9 2010 1805 Server number: 126.96.36.199 OS Name: Windows 7 OS Version: 6.1 Architecture: amd64 JVM Version: 1.8.0_131-b11 JVM Vendor: Oracle Corporation
By adding the server attribute in server.xml
This approach will disclose the Apache Tomcat version in the response header not in the error page.
server.xml path : C:/<Apache-Tomcat-Installation-Directory>/conf/server.xml
Note: Take server.xml as backup for safe purpose.
<Connector port="8084" protocol="HTTP/1.1" connectionTimeout="20000" enableLookups="false" redirectPort="8443" server="Apache Tomcat" />
This is the easy-st way to disclose the Apache Tomcat server version.
You can find the changes highlighted in yellow color in the below image.
You can see the error page still having the Apache Tomcat Server Version details as follows
To disclose the above Apache Tomcat server version in the error page, we can follow the Approach 2 or Approach 3 in the below
By modifying the ServerInfo.properties which is exist inside catalina.jar. Need to extract the file and then modify and add it into the same place. You can find the below steps how to modify serverinfo.properties.
ServerInfo.properties file location in
Take backup of catalina.jar file which is exist in this location C:/<Apache-Tomcat-Installation-Directory>/lib/catalina.jar
Create folder inside lib folder like catalina and then copy the jar into it. and then extract the jar as follows.
C:\Users\narayanatutorial>cd D:\Tools\Apache\apache-tomcat-6.0.26\lib D:\Tools\Apache\apache-tomcat-6.0.26\lib>mkdir catalina D:\Tools\Apache\apache-tomcat-6.0.26\lib>cd catalina D:\Tools\Apache\apache-tomcat-6.0.26\lib\catalina>jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
And then you can find the ServerInfo.properties file in that location and then open it in notepad to edit.
server.info=Apache Tomcat/8.5.4 server.number=188.8.131.52 server.built=Jul 6 2016 08:43:30 UTC
Here you can modify the server.info=Apache Tomcat/8.5.4 to server.info=Apache Tomcat and then save it.
After saving, you have to add it into same place into catalina.jar by executing the following command.
D:\Tools\Apache\apache-tomcat-6.0.26\lib\catalina>jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
And then copy the catalina.jar into main location C:/<Apache-Tomcat-Installation-Directory>/lib/
If it will ask replace then you can replace it and then start the Apache Tomcat Server and check the same way as follows.
D:\Tools\Apache\apache-tomcat-6.0.26\lib>java -cp catalina.jar org.apache.catalina.util.ServerInfo Output server.info=Apache Tomcat server.number=184.108.40.206 server.built=Jul 6 2016 08:43:30 UTC
- Open command prompt
- Go to Tomcat lib folder
- Create folder like org/apache/catalina/util
D:\Tools\Apache\apache-tomcat-6.0.26\lib>mkdir org\apache\catalina\util D:\Tools\Apache\apache-tomcat-6.0.26\lib>
- Create empty file like ServerInfo.properties inside org/apache/catalina/util
- Add the line like server.info=Apache Tomcat Version X
- Save it
- Restart / Start the Tomcat server
After starting the server, you can give any wrong application url or tomcat wrong url then you can see the below output.
I hope you understood now to disable Apache Tomcat Server version in the response header and error page with different approaches to fix security issue. Please reply a comment if any assistance required.
Hello! I am Narayanaswamy founder and admin of narayanatutorial.com. I have been working in IT industry more than 7 years. NarayanaTutorial is my web technologies blog. My specialties are Java / J2EE, Spring, Hibernate, Struts, Webservices, PHP, Oracle, MySQL, SQLServer, Web Hosting and Website Development.
I am a self learner and passionate about training and writing. I am always trying my best to share my knowledge through my blog.