UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Security Token Service must have mappings set for Java servlet pages.


Overview

Finding ID Version Rule ID IA Controls Severity
V-239664 VCST-67-000013 SV-239664r679064_rule Medium
Description
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and identify which file types are not to be delivered to a client. By not specifying which files can and cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. As Tomcat is a Java-based web server, the main file extension used is *.jsp. This check ensures that the *.jsp and *.jspx file types have been properly mapped to servlets.
STIG Date
VMware vSphere 6.7 STS Tomcat Security Technical Implementation Guide 2021-04-15

Details

Check Text ( C-42897r679062_chk )
At the command prompt, execute the following command:

# xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/web-app/servlet-mapping/servlet-name[text()="jsp"]/parent::servlet-mapping' -

Expected result:


jsp
*.jsp
*.jspx


If the output of the command does not match the expected result, this is a finding.
Fix Text (F-42856r679063_fix)
Navigate to and open /usr/lib/vmware-sso/vmware-sts/conf/web.xml.

Inside the parent node, add the following:


jsp
*.jsp
*.jspx