Re: [jetty-users] Custom bad message error page

Mon, 07 Aug 2023 07:50:12 -0700 

Hello Simone,
Thank you for the reply. We do not want to change the compliance, the error flagging is correct and desired. It is just that some potential user doing a pen-test on our system is objecting to the messages being generated. The SNI message contains "Caused by: org.eclipse.jetty.http.BadMessageException" which is information (Jetty) we are not allowed to disclose for security reasons. In general the want the ability to tweak all error messages generated by our application. We tried to offer that through the custom handler. 


There is a Server#setErrorHandler call and I would have expected that 
error handler to be used for such low-level errors. But now I understand 
that this is not the case I was hoping for some other way to customize 
these messages.


Is there anything else I could do to work around this?

Thnaks in advance,

Cheers,

Silvio


On 07-08-2023 16:32, Simone Bordet wrote:

Hi,

On Mon, Aug 7, 2023 at 12:16 PM Silvio Bierman via jetty-users
<jetty-users@eclipse.org> wrote:

Hi,

I run embedded Jetty 11.0.13. I have a single servlet instance and call 
ServletContextHandler#setErrorHandler(customHandler) during initialization. But 
whenever an invalid URL (like one containing empty segments) the handle method 
of the custom errorhandler is not called. Instead the message

Bad Message 400

reason: Ambiguous URI empty segment

is generated. Similarly requests with a bad SNI seem to generate a page that 
does not go through the custom handler.

What am I doing wrong? How can I catch these and generate my own error pages?

Some errors happen very early in the request parsing, so when they
happen, there is no request, no headers, etc. so we cannot dispatch a
"request" to a handler (there is no request).
These are typically requests that are so bad that are typically
attacks, so you don't want to generate more than a concise 400
response from the server, as if the request never arrived.

For the particular error "Ambiguous URI empty segment" you can
configure the HTTP compliance so that the ambiguity is tolerated, and
the request handled as a normal request.
See 
https://eclipse.dev/jetty/documentation/jetty-11/programming-guide/index.html#pg-server-compliance-http.



_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users






















					Reply via email to