QM wrote:
On Mon, Sep 05, 2005 at 06:28:05PM +0100, Paul Singleton wrote:
: But we want *no* error page, just a 404 status returned to
: the browser, which will then presumably present this failure
: to the user in its own way. Or have I musunderstood 404s?
Yes and no. Browsers are free to interpret 404s (and any other error
code) as they see fit. For example, IE's "friendly error messages" will
interpret the status code and show the user its own "not found" page
instead of the data returned by the server.
: Exactly what <error-page> element will achieve this, and
: where should we call ...setStatus(...NOT_FOUND)?
If you *really* want to leave this up to the browser, map the
<error-page> to a JSP that simply sets a 404 response and returns no
data. (I forget the exact API call for this, but it's in the
HttpServlet or HttpServletRequest JavaDoc.)
It's in javax.servlet.http.HttpServletResponse (from 2.1), hence
<%
response.sendError(javax.servlet.http.HttpServletResponse.SC_NOT_FOUND);
%>
...
> The real question is, do you really want to do this?
I *really* want to return a page which gives a hacker no indication
which web app server we're using (because our client thinks this is
good security practice) without going to the trouble of writing my
own :-)
I've tried your dataless 404 suggestion, and it indeed prompts IE
to show that familiar
The page cannot be found
effort, but unfortunately Firefox shows a blank page, so just in case
there are ever any broken links in our web apps, I'd better not leave
it up to the browser, but write a (suitably anonymous) one of our own.
Many thanks for your help
Paul Singleton
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/89 - Release Date: 2/Sep/2005
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
