Hello,
I’m currently trying to resolve an issue from our customer about a tomcat
version visible if bad characters are inserted into the URL (steps to reproduce
is to add a ‘{‘) This produces an HTTP 400 and redirects you to the default
tomcat error page with a stacktrace and version number.
To resolve this, I want every generic http error to redirect to a logout
servlet which then immediately kills the session (not elegant, but sufficient
enough for our customer). To do this I could use an ErrorReportValve, but that
from what I understand is only able to go to static HTML pages (a jsp would’ve
worked for me here as well bit doesn't seem possible?). Instead I should be
able to define http errors in the web.xml. This functionality doesn’t seem to
work for me.
Debugging my issue I find that in order for this to work, it needs to trigger a
status(req,res) function in StandardHostValve.java. This should be done by the
default ErrorReportValve’s invoke(req,res) . When this happens tho, the first
step in invoke is checking if the context is null. This is always the case for
me, because the uri never gets set because it’s an invalid uri (with an invalid
character). If the context is null, the status function is never called, and
thus the default error page gets generated instead.
My question is as followed. Is this a bug or is this a possible fault in my
configuration? My configuration is as followed (some values masked for security
reasons)
Tomcat version tested: 9.0.62, 9.0.72
Host OS: Windows 10
Java version: 11.0.4
— ${CATALINA_HOME}/conf/server.xml —
<?xml version=‘1.0’ encoding=‘utf-8’?>
<Server port=“8005” shutdown=“SHUTDOWN”>
<Listener
className=“org.apache.catalina.core.JreMemoryLeakPreventionListener” />
<Listener
className=“org.apache.catalina.mbeans.GlobalResourceLifecycleListener” />
<Listener
className=“org.apache.catalina.core.ThreadLocalLeakPreventionListener” />
<Service name=“xxx”>
<Connector port=“443”
protocol=“org.apache.coyote.http11.Http11NioProtocol” enableLookups=“false”
SSLEnabled=“true” scheme=“https” secure=“true” clientAuth=“false”
sslProtocol=“TLS” sslImplementationName=“ourCustomImplementation” />
<Engine name=“xxx” defaultHost=“localhost”>
<Host name=“localhost” appBase=“webapps” unpackWARs=“true”
autoDeploy=“true”/>
</Engine
</Service>
</Server>
— ${CATALINA_HOME}/webapps/ROOT/WEB-INF/web.xml —
<web-app xmlns=“http://java.sun.com/xml/ns/javaee”
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=“http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd” version=“3.0”>
<error-page>
<location>/logout.htm</location>
</error-page>
</web-app>
All servlet mapping is done with Spring web MVC
Regards,
Mitch
