Hi there, Whenever webapps deployed to jetty fail, one gets the message from the exception set in the status line:
stefan landro@mac-stefanl:~/tmp $ wget -S http://localhost:8080/test --2011-12-05 09:02:05-- http://localhost:8080/test Resolving localhost... 127.0.0.1, ::1, fe80::1 Connecting to localhost|127.0.0.1|:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 500 My detailed exception Message This is quite unfortunate, since such an exception message might leak lots of information about the application to a bad guy. In addition, if for some reason the custom error handling in your web app (<error-page> etc in web.xml) fails, jetty returns a default error page (see code below), leaking even more details about the exception (the entire stack) in addition to the "Powered by Jetty" line, providing the bad guy with even more details. Wouldn't it make sense to remove this functionality from jetty? Cheers, Stefan org.eclipse.jetty.server.Response.java (line 310): writer.write("<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html;charset=ISO-8859-1\"/>\n"); writer.write("<title>Error "); writer.write(Integer.toString(code)); writer.write(' '); if (message==null) message=HttpStatus.getMessage(code); writer.write(message); writer.write("</title>\n</head>\n<body>\n<h2>HTTP ERROR: "); writer.write(Integer.toString(code)); writer.write("</h2>\n<p>Problem accessing "); writer.write(uri); writer.write(". Reason:\n<pre> "); writer.write(message); writer.write("</pre>"); writer.write("</p>\n<hr /><i><small>Powered by Jetty://</small></i>"); for (int i= 0; i < 20; i++) writer.write("\n "); writer.write("\n</body>\n</html>\n"); -- BEKK Open http://open.bekk.no
_______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
