
Embedded Tomcat Hardening - How to alter/override Advertised server information in Spring boot?

I've been digging how to do 'tomcat hardening' on embedded tomcat and I can't find a way to alter these 3 catalina server info properties: server.info, server.built, server.number

Is there a way to alter those 3 properties in spring application.property file? Or by any other means?

Configuration below is a guide for hardening tomcat server specifically for ServerInfo.properties but NOT on embedded tomcat

Altering the server.info attribute may make it harder for attackers to determine which vulnerabilities affect the server platform.

Required Configuration:

Perform the following to alter the server platform string that gets displayed when clients connect to the tomcat server.

  1. Extract the ServerInfo.properties file from the catalina.jar file: $ cd $CATALINA_HOME/lib $ jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
  2. Navigate to the util directory that was created cd org/apache/Catalina/util
  3. Open ServerInfo.properties in an editor
  4. Update the server.info attribute in the ServerInfo.properties file. server.info=
  5. Update the catalina.jar with the modified ServerInfo.properties file. $ jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties


I tried modifying the application fat jar by overwriting tomcat-embed-core-9.0.36 with modified ServerInfo.properties in it. But when I start the application via Java, I got this error:

Caused by: java.lang.IllegalStateException: Unable to open nested entry 'BOOT-INF/lib/tomcat-embed-core-9.0.36.jar'. It has been compressed and nested jar files must be stored without compression. Please check the mechanism used to create your executable jar file at org.springframework.boot.loader.jar.JarFile.createJarFileFromFileEntry(JarFile.java:283) at org.springframework.boot.loader.jar.JarFile.createJarFileFromEntry(JarFile.java:265) at org.springframework.boot.loader.jar.JarFile.getNestedJarFile(JarFile.java:254) ... 6 more


  • Came up with 2 solutions:

    1. Fat Jar approach -> ServerInfo.properties in tomcat-embed-core.jar is patched and executable fat jar is packaged during build. But requires the patched tomcat-embed-core.jar to be in repo/artifactory for this to work.

    2. Thin Jar approach -> executable jar is separate from external libraries using spring-boot-thin-layout & spring-boot-thin-maven-plugin(for building). This externalize the dependencies where you can patch any jar file locally without corrupting the executable thin jar.

    At this moment, these are the 2 ways I can think of on how to harden embedded tomcat in spring-boot apps.

    I will mark this as the answer until somebody come up with better solution.