Walter Lee

how to disable directory listing in web 6.1SPx ?

Thursday Jun 11, 2009

If your security auditor said you need to disable the directory listing in your web 6.1SPx server, then you can do this in Admin GUI - Document Preferences - Directory Indexing - None. You can add an error response page too to send back when a request is asking for directory indexing.


The obj.conf will then look like below,


Service method="(GET|HEAD)" type="magnus-internal/directory" fn="send-error" path="/export/home/iws6.1sp9/docs/error.html"


then you can restart and take effect.


If you just comment out the default line below,


#Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"


Then the end-user will see a Method Not Allowed in the browser when they request a directory listing. They will not see the custom error page as above.







[0] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 12:04PM Jun 11, 2009 by Wing-Yip Walter Lee in Sun
Tags:

How to disable TRACE method in Sun Java Web server and check this ?

Tuesday Jun 24, 2008

For security reason, it is sometimes needed to disable TRACE method in Sun Java Web server, see


 http://sunsolve.sun.com/search/document.do?assetkey=1-66-200171-1

 One common mistake is when you just cut and paste it into the telnet window for obj.conf,


"


              <Client method="TRACE">

AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"

             </Client>

 "


You must remove the spaces in front of <Client...> and  </Client>.


Also, the long line of  AuthTrans is ONE SINGLE line.


Then, you can restart and test it.


e.g. in my env,

<Object name="default">
<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>
....



then cu can test to see TRACE is disabled, e.g.

apple:/export/home/iws6.1sp8/https-trace-1/config> telnet apple.asia 60012
Trying 129.158.175.16...
Connected to apple.asia.sun.com.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: apple.asia

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 24 Jun 2008 07:31:35 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.


When we do not have the change above to disable TRACE, you will see below default response :

apple:/export/home/iws6.1sp7> telnet apple.asia 61701
Trying 129.158.175.16...
Connected to apple.asia.sun.com.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: apple.asia

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 24 Jun 2008 07:33:50 GMT
Content-type: message/http
Transfer-encoding: chunked

0026
TRACE / HTTP/1.1
Host: apple.asia


0

I hope this above will help cu to check if their TRACE is disabled correctly after their change.

[0] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 03:58PM Jun 24, 2008 by Wing-Yip Walter Lee in Sun
Tags: