When you deploy IT components like operating systems, application servers, web servers in a Web 2.0 hosting environment, it’s very important to have a hardened configuration before you have your public launch and before your web apps are reachable with HTTP Port 80 and 443 by the internet. In environments without firewalls, e.g. on cheap “root servers”, you’re often online and connected to all internet
users hackers after the initial setup of your Web Stack.
IT-Administrators and Web 2.0 Developers are always working under pressure, and there’s lack of time to find all the security vulnerabilies in the used software products, Open Source as well as commercial products. In times, where most of the attacks against Web 2.0 apps are within the HTTP / HTTPS Protocol e.g. SQL-Injection, Cross Site Scripting and so on, its important, that the installation of Web Stack components are secure by default.
An example: A basic rule for a secure web configuration since over a decade is the have directory listings switched off in web servers and app servers.
What about glassfish 2.0 and security, are there any concerns?
Back to the directory listing example.
The Glassfish default is to have directory listings on and you have to modify the
to have a secure glassfish configuration, as also mentioned by hobione.
Another thing are the default HTTP headers from glassfish. They’re too noisy by default, they’re tellling everyone in the web, which version of glassfish you’re using:
Server: Sun Java System Application Server 9.1
So my suggestion for the glassfish project members is to modify
these defaults to a secure ones, this means
- Directory Listing “off”
- HTTP Header at least without any software version information