Search code examples
springspring-bootsecuritycatalinaembedded-tomcat-8

Embedded Tomcat Hardening - How to alter/override Advertised server information in Spring boot?

I've been digging how to do 'tomcat hardening' on embedded tomcat and I can't find a way to alter these 3 catalina server info properties: server.info, server.built, server.number

Is there a way to alter those 3 properties in spring application.property file? Or by any other means?

Configuration below is a guide for hardening tomcat server specifically for ServerInfo.properties but NOT on embedded tomcat

Rationale:
Altering the server.info attribute may make it harder for attackers to determine which vulnerabilities affect the server platform.

Required Configuration:

Perform the following to alter the server platform string that gets displayed when clients connect to the tomcat server.

  1. Extract the ServerInfo.properties file from the catalina.jar file: $ cd $CATALINA_HOME/lib $ jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
  2. Navigate to the util directory that was created cd org/apache/Catalina/util
  3. Open ServerInfo.properties in an editor
  4. Update the server.info attribute in the ServerInfo.properties file. server.info=
  5. Update the catalina.jar with the modified ServerInfo.properties file. $ jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties

UPDATE:

I tried modifying the application fat jar by overwriting tomcat-embed-core-9.0.36 with modified ServerInfo.properties in it. But when I start the application via Java, I got this error:

Caused by: java.lang.IllegalStateException: Unable to open nested entry 'BOOT-INF/lib/tomcat-embed-core-9.0.36.jar'. It has been compressed and nested jar files must be stored without compression. Please check the mechanism used to create your executable jar file at org.springframework.boot.loader.jar.JarFile.createJarFileFromFileEntry(JarFile.java:283) at org.springframework.boot.loader.jar.JarFile.createJarFileFromEntry(JarFile.java:265) at org.springframework.boot.loader.jar.JarFile.getNestedJarFile(JarFile.java:254) ... 6 more

Solution

  • Came up with 2 solutions:

    1. Fat Jar approach -> ServerInfo.properties in tomcat-embed-core.jar is patched and executable fat jar is packaged during build. But requires the patched tomcat-embed-core.jar to be in repo/artifactory for this to work.

    2. Thin Jar approach -> executable jar is separate from external libraries using spring-boot-thin-layout & spring-boot-thin-maven-plugin(for building). This externalize the dependencies where you can patch any jar file locally without corrupting the executable thin jar.

    At this moment, these are the 2 ways I can think of on how to harden embedded tomcat in spring-boot apps.

    I will mark this as the answer until somebody come up with better solution.