V-235961

Discussion

Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD system. Application servers must provide the capability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance, for example, disabling dynamic JSP reloading on production application servers as a best practice.

Check Content

1. Access AC
2. From 'Domain Structure', select 'Deployments'
3. Select a deployment of type 'Web Application' from list of deployments
4. Select 'Configuration' tab -> 'General' tab
5. Ensure 'JSP Page Check' field value is set to '-1', which indicates JSP reloading is disabled within this deployment. Repeat steps 3-5 for all 'Web Application' type deployments
6. For every WebLogic resource within the domain, the 'Configuration' tab and associated subtabs provide the ability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance

If the 'JSP Page Check' field is not set to '-1' or other services or functionality deemed to be non-essential to the server mission is not set to '-1', this is a finding.