Glassfish security vulnerability

When you deploy IT components like operating systems, application servers, web servers in a Web 2.0 hosting environment, it’s very important to have a hardened configuration before you have your public launch and before your web apps are reachable with HTTP Port 80 and 443 by the internet. In environments without firewalls, e.g. on cheap “root servers”, you’re often online and connected to all internet users hackers after the initial setup of your Web Stack.

IT-Administrators and Web 2.0 Developers are always working under pressure, and there’s lack of time to find all the security vulnerabilies in the used software products, Open Source as well as commercial products. In times, where most of the attacks against Web 2.0 apps are within the HTTP / HTTPS Protocol e.g. SQL-Injection, Cross Site Scripting and so on, its important, that the installation of Web Stack components are secure by default.

An example: A basic rule for a secure web configuration since over a decade is the have directory listings switched off in web servers and app servers.

What about glassfish 2.0 and security, are there any concerns?

Back to the directory listing example.

The Glassfish default is to have directory listings on and you have to modify the


to have a secure glassfish configuration, as also mentioned by hobione.

Another thing are the default HTTP headers from glassfish. They’re too noisy by default, they’re tellling everyone in the web, which version of glassfish you’re using:

Server: Sun Java System Application Server 9.1


So my suggestion for the glassfish project members is to modify

these defaults to a secure ones, this means

  • Directory Listing “off”
  • HTTP Header at least without any software version information

8 thoughts on “Glassfish security vulnerability

  1. Pingback: Heard on the blogosphere… | sun

  2. Pingback: blogosphere????????????@????? | sun

  3. Andy

    Do you know how to remove that part from the header? Is there an option or is it necessary to implement a filter or something which removes these entries?

  4. Pingback: security vulnerability -

  5. Pingback: Glassfish security vulnerability | Thorleif Wiik « Social Computing Technology

  6. baltixz

    Usually, server info on headers appears on a 404 page not found or similar errors. The following below turns off the directory listing from Glassfish as well as custome Error page. Change the values accordingly.

    [Dissable Directory-Listing to be modified on /gf-install-dir/domains/domain1/config/default-web.xml]

    [Custom error page to be modified in /gf-install-dir/domains/domain1/config/domain.xml]

  7. baltixz

    [Dissable Directory-Listing to be modified on /gf-install-dir/domains/domain1/config/default-web.xml]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>