Summary

In its default configuration, as supplied with Crowd Data Center, Apache Tomcat discloses information such as product version and stack traces.

Some customers may find this level of detail excessive, as it could be flagged in security scans or penetration tests and considered a potential security risk.

Environment

Crowd Data Center 5.1 or newer 

Diagnosis

By generating an error such as "page not found", the standard error page in Tomcat looks like this:

In order to generate a "404 - not found" error, just navigate to any non-existent page within the Crowd base URL, such as  "<BASEURL/crowd/thispagedoesnotexists"

Other errors might also include Java stack traces, which in turn might provide details such as file system paths, database details, etc. 

Cause

Default error reporting configuration on Apache Tomcat might be considered too verbose in some situations.

Solution

To reduce the amount of information reported on errors, we need to modify Tomcat's configuration by adding a new ErrorReportValve directive.  Please follow the steps below:

1. Edit the file <install-directory>/apache-tomcat/conf/server.xml
2. Search for a parameter starting as

 "<Host...  "  

  3. Just below that line, insert the following parameters: 

<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />

  4. Save the changes and exit.
  5. Restart the application for the changes to take effect.

To verify that the solution is working, try again to access a non-existent page (i.e. http://<BASEURL/crowd/thispagedoesnotexists) 

Error pages should now look as follows: only the HTTP error code is returned, with no product version or stack traces.