Every time I update Jetty, I eventually get around to repeating the same configurations. This entry documents what I've found to be useful towards setting up a production-ready instance of jetty that has limited risk exposure.
Remove sample webapps
Delete all files under webapps\** - also, enable jetty-plus web apps at the same time (all my apps tend to use jndi and connection pools)
Disable default favico
Change etc/jetty.xml to stop serving the default favicon - find DefaultHandler add this serveIcon false setting:
<New id="DefaultHandler" class="org.mortbay.jetty.handler.DefaultHandler">
<Set name="serveIcon">false</Set>
</New>
Conceal server name/version header
Put this under server elements in both jetty.xml and jetty-plus.xml:
<Configure id="Server" class="org.mortbay.jetty.Server">
<Set name="sendServerVersion">false
...
Configure a default/ROOT webapp
Inside this webapp, use Jetty's error code range mappings to do something like this:
<get name="errorHandler">
<call name="addErrorPage">
<arg type="int">300</arg>
<arg type="int">599</arg>
<arg type="String">/WEB-INF/ERROR/generic.jsp</arg>
</call>
</get>
Change the default session cookie name
Normally, J2EE containers send a JSESSIONID cookie in the first request. But why even expose the fact that you're running a servlet container in the first place? Customize this cookie's name using the following in web.xml:
<context-param>
<param-name>org.mortbay.jetty.servlet.SessionCookie</param-name>
<param-value>XSESSIONID</param-value>
</context-param>
<context-param>
<param-name>org.mortbay.jetty.servlet.SessionURL</param-name>
<param-value>none</param-value>
</context-param>
That second setting disables URL session cookies.
The remainder of these notes addresses configuration items that have nothing to do with hardening - these are just convenient reminders to myself.
Add datasources
Under the Configure element for org.mortbay.jetty.Server, add resource definitions as needed.
Here is one example of a datasource with a pool defined using Apache DBCP (put all jars in etc/lib/ext):
Add MIME mappings for required content types
Add the MIME mappings you'll need to etc/webdefault.xml - a few I have used are:
<mime-mapping>
<extension>jad</extension>
<mime-type>text/vnd.sun.j2me.app-descriptor</mime-type>
</mime-mapping>
<mime-mapping>
<extension>cod</extension>
<mime-type>application/vnd.rim.cod</mime-type>
</mime-mapping>
Replace the DefaultHandler with a custom class
The default handler automatically lists all contexts configured for the webapp, which is not something you typically want in a production environment.
What other customizations would you recommend for locking Jetty down at initial setup?