IT-Administrators and Web 2.0 Developers are always working under pressure, and there’s lack of time to find all the security vulnerabilies in the used software products, Open Source as well as commercial products. In times, where most of the attacks against Web 2.0 apps are within the HTTP / HTTPS Protocol e.g. SQL-Injection, Cross Site Scripting and so on, its important, that the installation of Web Stack components are secure by default.

An example: A basic rule for a secure web configuration since over a decade is the have directory listings switched off in web servers and app servers.

What about glassfish 2.0 and security, are there any concerns?

Back to the directory listing example.

The Glassfish default is to have directory listings on and you have to modify the

glassfish/domains/domain1/config/default-web.xml

to have a secure glassfish configuration, as also mentioned by hobione.

Another thing are the default HTTP headers from glassfish. They’re too noisy by default, they’re tellling everyone in the web, which version of glassfish you’re using:

Server: Sun Java System Application Server 9.1

X-Powered-By:Servlet/2.5

So my suggestion for the glassfish project members is to modify

these defaults to a secure ones, this means

• Directory Listing “off”
• HTTP Header at least without any software version information