Great stuff. We ended up subclassing ErrorPageErrorHandler, removing
stacktraces and the powered by jetty line etc.
Thanks,
Stefan
On 6 December 2011 01:51, Jan Bartel j...@intalio.com wrote:
Hi Stefan,
The ErrorPageErrorHandler, which is used by webapps, is a subclass of
ErrorHandler. If you don't wish any exception stacks shown in the
message, you can call setShowStacks(false) (or configure that in the
context's xml descriptor). Then, if you're not happy with just
registering pages with it, you could always replace the
ErrorPageErrorHandler class with one you've customized, again setting
that up on your webapp either in code or in xml. The code you refer
to will only execute if the context has no ErrorHandler, and the
Server has no ErrorHandler associated with it (which is yet another
avenue to customize your error handling - call server.addtBean(new
MySpecialErrorHandler()).
I think attending to these type of considerations is part of the
process of hardening up a web server installation for production, and
I think that Jetty gives you plenty of avenues to do that.
That said, I do wish sometimes that the ErrorHandler class didn't
include the Powered by Jetty line, as we sometimes get some strange,
irate emails from folks who unbeknownst to us and them use a poorly
configured service that is using Jetty :)
cheers
Jan
On 5 December 2011 23:47, Stefan Magnus Landrø stefan.lan...@gmail.com
wrote:
Hi there,
Whenever webapps deployed to jetty fail, one gets the message from the
exception set in the status line:
stefan landro@mac-stefanl:~/tmp $ wget -S http://localhost:8080/test
--2011-12-05 09:02:05-- http://localhost:8080/test
Resolving localhost... 127.0.0.1, ::1, fe80::1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response...
HTTP/1.1 500 My detailed exception Message
This is quite unfortunate, since such an exception message might leak
lots
of information about the application to a bad guy.
In addition, if for some reason the custom error handling in your web app
(error-page etc in web.xml) fails, jetty returns a default error page
(see
code below), leaking even more details about the exception (the entire
stack) in addition to the Powered by Jetty line, providing the bad guy
with even more details.
Wouldn't it make sense to remove this functionality from jetty?
Cheers,
Stefan
org.eclipse.jetty.server.Response.java (line 310):
writer.write(html\nhead\nmeta http-equiv=\Content-Type\
content=\text/html;charset=ISO-8859-1\/\n);
writer.write(titleError );
writer.write(Integer.toString(code));
writer.write(' ');
if (message==null)
message=HttpStatus.getMessage(code);
writer.write(message);
writer.write(/title\n/head\nbody\nh2HTTP ERROR: );
writer.write(Integer.toString(code));
writer.write(/h2\npProblem accessing );
writer.write(uri);
writer.write(. Reason:\npre);
writer.write(message);
writer.write(/pre);
writer.write(/p\nhr /ismallPowered by Jetty:///small/i);
for (int i= 0; i 20; i++)
writer.write(\n);
writer.write(\n/body\n/html\n);
--
BEKK Open
http://open.bekk.no
___
jetty-users mailing list
jetty-users@eclipse.org
https://dev.eclipse.org/mailman/listinfo/jetty-users
___
jetty-users mailing list
jetty-users@eclipse.org
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
BEKK Open
http://open.bekk.no
___
jetty-users mailing list
jetty-users@eclipse.org
https://dev.eclipse.org/mailman/listinfo/jetty-users
