Hello Joakim,
Thanks, that does take care of the stack trace. It seems like the call
must to be done on the server.getErrorHandler which is not defined
(null) until the server has been started. Perhaps I am doing it wrong
but doing server.getErrorHandler.setShowStacks(false) directly after
server.start works.
I will now see if the customer are satisfied with the current behavior
and if not I will look into the suggestions Simone did about custom
error pages.
Cheers,
Silvio
On 22-07-19 14:17, Joakim Erdfelt wrote:
One word of warning.
Error 400 is a bit unique and special in that many kinds of error 400
happen very early in the processing of a potential incoming request.
Many times the error 400 occurs before a context is known and as a
result the error is served directly from the server, and not a context
that would have the ErrorPageErrorHandler API.
If the concern is that the error page has a stacktrace, then you can
turn that off in the ErrorHandler.setShowStacks(false).
A typical setup on a server is that the server itself has a generic
ErrorHandler, and each context (webapp) has it's own
ErrorPageErrorHandler which has mappings for exceptions or status
codes to resources (dynamic or static) that handle the error.
Joakim Erdfelt / [email protected] <mailto:[email protected]>
On Mon, Jul 22, 2019 at 6:58 AM Simone Bordet <[email protected]
<mailto:[email protected]>> wrote:
Hi,
On Mon, Jul 22, 2019 at 12:25 PM Silvio Bierman
<[email protected] <mailto:[email protected]>>
wrote:
>
> Hello all,
>
> We run an application that embeds Jetty 9.4.19. Upon receiving a
> malformed request where the Host header has been deliberately set to
> 127.0.0.1 (and therefore does not match the request URL) our server
> responds with:
>
> HTTP ERROR 400
>
> Problem accessing /. Reason:
>
> Host does not match SNI
>
> Caused by:
>
> <stacktrace>
>
> During a pen-test that was done by one of our customers this was
deemed
> too much internal information. What is the most easy way to
configure
> the error info that we return upon such requests?
Custom error pages, by using the ErrorPageErrorHandler API, see e.g.
https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-servlet/src/test/java/org/eclipse/jetty/servlet/ErrorPageTest.java.
--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
