Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Default error handling in jetty
Great stuff. We ended up subclassing ErrorPageErrorHandler, removing stacktraces and the "powered by jetty" line etc.

Thanks,

Stefan

On 6 December 2011 01:51, Jan Bartel <janb@xxxxxxxxxxx> wrote:
Hi Stefan,

The ErrorPageErrorHandler, which is used by webapps, is a subclass of
ErrorHandler. If you don't wish any exception stacks shown in the
message, you can call setShowStacks(false) (or configure that in the
context's xml descriptor).  Then, if you're not happy with just
registering pages with it, you could always replace the
ErrorPageErrorHandler class with one you've customized, again setting
that up on your webapp either in code or in xml.  The code you refer
to will only execute if the context has no ErrorHandler, and the
Server has no ErrorHandler associated with it (which is yet another
avenue to customize your error handling - call server.addtBean(new
MySpecialErrorHandler()).

I think attending to these type of considerations is part of the
process of hardening up a web server installation for production, and
I think that Jetty gives you plenty of avenues to do that.

That said, I do wish sometimes that the ErrorHandler class didn't
include the "Powered by Jetty" line, as we sometimes get some strange,
irate emails from folks who unbeknownst to us and them use a poorly
configured service that is using Jetty :)

cheers
Jan

On 5 December 2011 23:47, Stefan Magnus Landrø <stefan.landro@xxxxxxxxx> wrote:
> Hi there,
>
> Whenever webapps deployed to jetty fail, one gets the message from the
> exception set in the status line:
>
> stefan landro@mac-stefanl:~/tmp $ wget -S http://localhost:8080/test
> --2011-12-05 09:02:05--  http://localhost:8080/test
> Resolving localhost... 127.0.0.1, ::1, fe80::1
> Connecting to localhost|127.0.0.1|:8080... connected.
> HTTP request sent, awaiting response...
>   HTTP/1.1 500 My detailed exception Message
>
> This is quite unfortunate, since such an exception message might leak lots
> of information about the application to a bad guy.
>
> In addition, if for some reason the custom error handling in your web app
> (<error-page> etc in web.xml) fails, jetty returns a default error page (see
> code below), leaking even more details about the exception (the entire
> stack) in addition to the "Powered by Jetty" line, providing the bad guy
> with even more details.
>
> Wouldn't it make sense to remove this functionality from jetty?
>
> Cheers,
>
> Stefan
>
>
> org.eclipse.jetty.server.Response.java (line 310):
>
> writer.write("<html>\n<head>\n<meta http-equiv=\"Content-Type\"
> content=\"text/html;charset=ISO-8859-1\"/>\n");
> writer.write("<title>Error ");
> writer.write(Integer.toString(code));
> writer.write(' ');
> if (message==null)
>     message=HttpStatus.getMessage(code);
> writer.write(message);
> writer.write("</title>\n</head>\n<body>\n<h2>HTTP ERROR: ");
> writer.write(Integer.toString(code));
> writer.write("</h2>\n<p>Problem accessing ");
> writer.write(uri);
> writer.write(". Reason:\n<pre>    ");
> writer.write(message);
> writer.write("</pre>");
> writer.write("</p>\n<hr /><i><small>Powered by Jetty://</small></i>");
>
> for (int i= 0; i < 20; i++)
>     writer.write("\n                                                ");
> writer.write("\n</body>\n</html>\n");
>
>
> --
> BEKK Open
> http://open.bekk.no
>
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users



--
BEKK Open
http://open.bekk.no

Back to the top