Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-users] Default error handling in jetty
Hi there,

Whenever webapps deployed to jetty fail, one gets the message from the exception set in the status line:

stefan landro@mac-stefanl:~/tmp $ wget -S http://localhost:8080/test
--2011-12-05 09:02:05--  http://localhost:8080/test
Resolving localhost... 127.0.0.1, ::1, fe80::1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 500 My detailed exception Message
 
This is quite unfortunate, since such an exception message might leak lots of information about the application to a bad guy.

In addition, if for some reason the custom error handling in your web app (<error-page> etc in web.xml) fails, jetty returns a default error page (see code below), leaking even more details about the exception (the entire stack) in addition to the "Powered by Jetty" line, providing the bad guy with even more details.

Wouldn't it make sense to remove this functionality from jetty?

Cheers,

Stefan


org.eclipse.jetty.server.Response.java (line 310):

writer.write("<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html;charset=ISO-8859-1\"/>\n");
writer.write("<title>Error ");
writer.write(Integer.toString(code));
writer.write(' ');
if (message==null)
    message=HttpStatus.getMessage(code);
writer.write(message);
writer.write("</title>\n</head>\n<body>\n<h2>HTTP ERROR: ");
writer.write(Integer.toString(code));
writer.write("</h2>\n<p>Problem accessing ");
writer.write(uri);
writer.write(". Reason:\n<pre>    ");
writer.write(message);
writer.write("</pre>");
writer.write("</p>\n<hr /><i><small>Powered by Jetty://</small></i>");

for (int i= 0; i < 20; i++)
    writer.write("\n                                                ");
writer.write("\n</body>\n</html>\n");


--
BEKK Open
http://open.bekk.no

Back to the top