Tuesday, September 29, 2009

Jetty 6.1.x hardening

By day, I am a web developer using Java. At work I'm forced to used RAD 6.0, Websphere and JDK 1.4. But on my own time, I favor Jetty for its light weight and ease of use.

Every time I update Jetty, I eventually get around to repeating the same configurations. This entry documents what I've found to be useful towards setting up a production-ready instance of jetty that has limited risk exposure.


Remove sample webapps

Delete all files under webapps\** - also, enable jetty-plus web apps at the same time (all my apps tend to use jndi and connection pools)

Disable default favico

Change etc/jetty.xml to stop serving the default favicon - find DefaultHandler add this serveIcon false setting:

<New id="DefaultHandler" class="org.mortbay.jetty.handler.DefaultHandler">
<Set name="serveIcon">false</Set>
</New>


Conceal server name/version header

Put this under server elements in both jetty.xml and jetty-plus.xml:

<Configure id="Server" class="org.mortbay.jetty.Server">
<Set name="sendServerVersion">false
...


Configure a default/ROOT webapp

Inside this webapp, use Jetty's error code range mappings to do something like this:

<get name="errorHandler">
<call name="addErrorPage">
<arg type="int">300</arg>
<arg type="int">599</arg>
<arg type="String">/WEB-INF/ERROR/generic.jsp</arg>
</call>
</get>

Change the default session cookie name

Normally, J2EE containers send a JSESSIONID cookie in the first request. But why even expose the fact that you're running a servlet container in the first place? Customize this cookie's name using the following in web.xml:

<context-param>
<param-name>org.mortbay.jetty.servlet.SessionCookie</param-name>
<param-value>XSESSIONID</param-value>
</context-param>
<context-param>
<param-name>org.mortbay.jetty.servlet.SessionURL</param-name>
<param-value>none</param-value>
</context-param>

That second setting disables URL session cookies.

The remainder of these notes addresses configuration items that have nothing to do with hardening - these are just convenient reminders to myself.

Add datasources

Under the Configure element for org.mortbay.jetty.Server, add resource definitions as needed.

Here is one example of a datasource with a pool defined using Apache DBCP (put all jars in etc/lib/ext):

<New id="TESTDB" class="org.mortbay.jetty.plus.naming.Resource">
<Arg></Arg>
<Arg>jdbc/TESTDB</Arg>
<Arg>
<New class="org.apache.commons.dbcp.BasicDataSource">
<Set name="driverClassName">com.ibm.db2.jcc.DB2Driver</Set>
<Set name="url">jdbc:db2://example.com:50000/TESTDB</Set>
<Set name="username">user</Set>
<Set name="password">pass</Set>
</New>
</Arg>
</New>


Add MIME mappings for required content types

Add the MIME mappings you'll need to etc/webdefault.xml - a few I have used are:

<mime-mapping>
<extension>jad</extension>
<mime-type>text/vnd.sun.j2me.app-descriptor</mime-type>
</mime-mapping>

<mime-mapping>
<extension>cod</extension>
<mime-type>application/vnd.rim.cod</mime-type>
</mime-mapping>

<!-- also add maps for ogg, others, etc. -->


Replace the DefaultHandler with a custom class


The default handler automatically lists all contexts configured for the webapp, which is not something you typically want in a production environment.



What other customizations would you recommend for locking Jetty down at initial setup?