Great stuff. We ended up subclassing ErrorPageErrorHandler, removing stacktraces and the "powered by jetty" line etc.
Thanks, Stefan On 6 December 2011 01:51, Jan Bartel <[email protected]> wrote: > Hi Stefan, > > The ErrorPageErrorHandler, which is used by webapps, is a subclass of > ErrorHandler. If you don't wish any exception stacks shown in the > message, you can call setShowStacks(false) (or configure that in the > context's xml descriptor). Then, if you're not happy with just > registering pages with it, you could always replace the > ErrorPageErrorHandler class with one you've customized, again setting > that up on your webapp either in code or in xml. The code you refer > to will only execute if the context has no ErrorHandler, and the > Server has no ErrorHandler associated with it (which is yet another > avenue to customize your error handling - call server.addtBean(new > MySpecialErrorHandler()). > > I think attending to these type of considerations is part of the > process of hardening up a web server installation for production, and > I think that Jetty gives you plenty of avenues to do that. > > That said, I do wish sometimes that the ErrorHandler class didn't > include the "Powered by Jetty" line, as we sometimes get some strange, > irate emails from folks who unbeknownst to us and them use a poorly > configured service that is using Jetty :) > > cheers > Jan > > On 5 December 2011 23:47, Stefan Magnus Landrø <[email protected]> > wrote: > > Hi there, > > > > Whenever webapps deployed to jetty fail, one gets the message from the > > exception set in the status line: > > > > stefan landro@mac-stefanl:~/tmp $ wget -S http://localhost:8080/test > > --2011-12-05 09:02:05-- http://localhost:8080/test > > Resolving localhost... 127.0.0.1, ::1, fe80::1 > > Connecting to localhost|127.0.0.1|:8080... connected. > > HTTP request sent, awaiting response... > > HTTP/1.1 500 My detailed exception Message > > > > This is quite unfortunate, since such an exception message might leak > lots > > of information about the application to a bad guy. > > > > In addition, if for some reason the custom error handling in your web app > > (<error-page> etc in web.xml) fails, jetty returns a default error page > (see > > code below), leaking even more details about the exception (the entire > > stack) in addition to the "Powered by Jetty" line, providing the bad guy > > with even more details. > > > > Wouldn't it make sense to remove this functionality from jetty? > > > > Cheers, > > > > Stefan > > > > > > org.eclipse.jetty.server.Response.java (line 310): > > > > writer.write("<html>\n<head>\n<meta http-equiv=\"Content-Type\" > > content=\"text/html;charset=ISO-8859-1\"/>\n"); > > writer.write("<title>Error "); > > writer.write(Integer.toString(code)); > > writer.write(' '); > > if (message==null) > > message=HttpStatus.getMessage(code); > > writer.write(message); > > writer.write("</title>\n</head>\n<body>\n<h2>HTTP ERROR: "); > > writer.write(Integer.toString(code)); > > writer.write("</h2>\n<p>Problem accessing "); > > writer.write(uri); > > writer.write(". Reason:\n<pre> "); > > writer.write(message); > > writer.write("</pre>"); > > writer.write("</p>\n<hr /><i><small>Powered by Jetty://</small></i>"); > > > > for (int i= 0; i < 20; i++) > > writer.write("\n "); > > writer.write("\n</body>\n</html>\n"); > > > > > > -- > > BEKK Open > > http://open.bekk.no > > > > > > _______________________________________________ > > jetty-users mailing list > > [email protected] > > https://dev.eclipse.org/mailman/listinfo/jetty-users > > > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users > -- BEKK Open http://open.bekk.no
_______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
