Issue
- When navigating some incorrectly crafted URLs (ex.:
https://localhost:8080/api/jsonws/user/get-user-by-email-address/company-id/20154/email-address/test%40Iiferay.com?p_auth=[value]), it is possible to generate portal errors, and their stacktrace is printed on the page, making technical information available to the public.
Environment
- Any Liferay DXP Tomcat bundle
Resolution
- The root cause of the issue is that the default Tomcat configuration on
server.xmlhas error reports enabled, divulging such information. - In order to disable error reports, you must add the following configuration to your
$TOMCAT_HOME/conf/server.xml, under the<Host>XML section:
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false"
showServerInfo="false" />
- An example of a complete
server.xmlwith error reporting disabled is below:
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<Listener className="org.apache.catalina.security.SecurityListener" checkedOsUsers="root" minimumUmask="0007"/>
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<GlobalNamingResources/>
<Service name="Catalina">
<Connector
acceptorThreadCount="2"
bindOnInit="false"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="65536"
maxPostSize="4194304"
maxThreads="200"
minSpareThreads="50"
port="8080"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
server=""
URIEncoding="UTF-8"
/>
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"/>
<!-- BEGIN: REMOVE TOMCAT ERROR REPORTS -->
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false"
showServerInfo="false" />
<!-- END: REMOVE TOMCAT ERROR REPORTS -->
</Host>
</Engine>
</Service>
</Server>
-
On DXP Cloud you must deploy the modified
server.xmlto the desired environment by placing it in the folder$REPO/liferay/configs/$ENVIRONMENT/tomcat/conf/server.xmland triggering a deployment of theliferayservice.
Additional Information
- Apache Tomcat is supported on Liferay DXP and LXC products and services, but it's still a 3rd-party tool which is bound to our Application Server Support Policy and specifically the Tomcat Support Policy. Please refer to the developer's documentation for in-depth configuration.
- Apache Tomcat Documentation: Error Report Valve
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión