[
https://issues.apache.org/jira/browse/SLING-4049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14171279#comment-14171279
]
Felix Meschberger commented on SLING-4049:
------------------------------------------
The Sling Servlet Resolver has a default error handler servlet registered for
the "virtual" resource type {{sling/servlet/errorhandler/default}} registered
at the end of the search path by virtue of setting {{sling.servlet.prefix=-1}}.
Thus any error handler servlet with another path prefix, particularly ones not
setting {{sling.servlet.prefix}} at all would overwrite this. For example a
customer application could create a script (in whatever active language) or
servlet at {{/apps/sling/servlet/default}} and be sure to be called unless
there is some more specific error handler script or servlet.
> Errorhandling: Allow Configuration of Displaying Stacktraces/Request Progress
> -----------------------------------------------------------------------------
>
> Key: SLING-4049
> URL: https://issues.apache.org/jira/browse/SLING-4049
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Reporter: Dominique Jäggi
>
> it should be configurable whether during error display (40x, 50x, etc)
> stacktraces or the request progress is displayed or not.
> for production systems it is undesirable to exhibit information that may
> allow an attacker to determine internal information such as used scripts,
> paths, classes, line numbers, etc.
> ideally this could be centrally configured, affecting both e.g. the JSP
> handlers (404.jsp) as well as any other facility outputting error conditions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
