Hi Stefan, The ErrorPageErrorHandler, which is used by webapps, is a subclass of ErrorHandler. If you don't wish any exception stacks shown in the message, you can call setShowStacks(false) (or configure that in the context's xml descriptor). Then, if you're not happy with just registering pages with it, you could always replace the ErrorPageErrorHandler class with one you've customized, again setting that up on your webapp either in code or in xml. The code you refer to will only execute if the context has no ErrorHandler, and the Server has no ErrorHandler associated with it (which is yet another avenue to customize your error handling - call server.addtBean(new MySpecialErrorHandler()).
I think attending to these type of considerations is part of the process of hardening up a web server installation for production, and I think that Jetty gives you plenty of avenues to do that. That said, I do wish sometimes that the ErrorHandler class didn't include the "Powered by Jetty" line, as we sometimes get some strange, irate emails from folks who unbeknownst to us and them use a poorly configured service that is using Jetty :) cheers Jan On 5 December 2011 23:47, Stefan Magnus Landrø <[email protected]> wrote: > Hi there, > > Whenever webapps deployed to jetty fail, one gets the message from the > exception set in the status line: > > stefan landro@mac-stefanl:~/tmp $ wget -S http://localhost:8080/test > --2011-12-05 09:02:05-- http://localhost:8080/test > Resolving localhost... 127.0.0.1, ::1, fe80::1 > Connecting to localhost|127.0.0.1|:8080... connected. > HTTP request sent, awaiting response... > HTTP/1.1 500 My detailed exception Message > > This is quite unfortunate, since such an exception message might leak lots > of information about the application to a bad guy. > > In addition, if for some reason the custom error handling in your web app > (<error-page> etc in web.xml) fails, jetty returns a default error page (see > code below), leaking even more details about the exception (the entire > stack) in addition to the "Powered by Jetty" line, providing the bad guy > with even more details. > > Wouldn't it make sense to remove this functionality from jetty? > > Cheers, > > Stefan > > > org.eclipse.jetty.server.Response.java (line 310): > > writer.write("<html>\n<head>\n<meta http-equiv=\"Content-Type\" > content=\"text/html;charset=ISO-8859-1\"/>\n"); > writer.write("<title>Error "); > writer.write(Integer.toString(code)); > writer.write(' '); > if (message==null) > message=HttpStatus.getMessage(code); > writer.write(message); > writer.write("</title>\n</head>\n<body>\n<h2>HTTP ERROR: "); > writer.write(Integer.toString(code)); > writer.write("</h2>\n<p>Problem accessing "); > writer.write(uri); > writer.write(". Reason:\n<pre> "); > writer.write(message); > writer.write("</pre>"); > writer.write("</p>\n<hr /><i><small>Powered by Jetty://</small></i>"); > > for (int i= 0; i < 20; i++) > writer.write("\n "); > writer.write("\n</body>\n</html>\n"); > > > -- > BEKK Open > http://open.bekk.no > > > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users > _______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
