tags:

views:

192

answers:

3
+2  Q: 

Reducing information disclosure in Tomcat error pages

By default, Tomcat's error pages disclose both the existence of Tomcat and the exact version of the container that's handling the requests. This is nice for development, but in a production context this information is a potential security hole and it would be nice to disable it.

Thus I would like to know what the best (as in most straightforward/comprehensive) solution is to completely suppress Tomcat's default error pages. I am aware of the <error-page> option in web.xml, but it seems to fail on both desired counts, partly because I would have to list the same alternative error page many times (one for each response code I want to handle), and because this strikes me as possibly not 100% robust; if an attacker can somehow get an error code returned that I haven't explicitly listed, they would get the default error page.

Ideally, a simple option to set a universal custom error page, or to flat out disable sending any HTML along with the error code in the default error page, would be best. If neither of those options are possible, I'd be interested in finding out what the typical way to implement this functionality is (bonus points for discussing/showing why those hypothetical options don't exist, since it seems my requirement would be quite standard for anyone using Tomcat in production...).

+1  A: 

A possible option would be to set up a Servlet Filter, that could redirect error pages to exactly the page you want ... You would only code this once, and it would work for all error codes..

KLE  2009-10-05 14:03:26
An interesting approach... I suspect it might be a bit fragile *and* kill performance as I'd need to parse every single response to try and work out from the raw characters whether it was a default error page or not. Or is there a better way to identify the problem pages?
Andrzej Doyle  2009-10-05 16:44:24
@dtsazza Concerning performance, if you compare the dozens instructions implied to the dozen thousands that are involved in the whole processing of the request, it's less than 0.1%. **Performance impact is negligible when the code is so high level**.
KLE  2009-10-06 07:22:16
+2  A: 

<error-page> is the right answer, but you don't want to just redirect all error codes to some generic message. You have to think about how you want to handle each error. If you're afraid you might miss one of the codes, check out the constants in the HttpServletResponse interface.

Jeremy Stein  2009-10-05 18:39:57
But I kind of do want to - since it's a self-contained webapp, from the user's perspective either things are working or they're not; the actual response they see really can be generic (logs will show technical staff the actual problem plus the HTTP response code is still intact). Accepting your answer anyway, on the basis of the enumeration of response codes that Tomcat may send.
Andrzej Doyle  2009-10-06 08:02:44
+3  A: 

Some of the errors are sent directly by the container and your application doesn't have a chance to deal with them. For example, when a non-existent resource is requested, the 404 error will be sent. The only way your application can do something about it is to declare the appropriate <error-page> entry in the web.xml.

I agree with Jeremy Stein that the <error-page> is the right answer. After all the error codes aren't unlimited.

Read also the discussion here, about how errors are handled with Spring MVC. I believe that it is most important is to handle your own errors (the exceptions that if they don't get caught will result in a 500 Internal Server Error).

kgiannakakis  2009-10-06 07:18:14

related questions

Never produce to an unknown pathway, in software too? [Toyota principle]
What is the best way to collect/report unexpected errors in .NET Window Applications?
What are the principles guiding your exception handling policy?
Exceptions: Is this a good practice?
How would you get the Sql Command objects for a Given TableAdaptor and SqlDataAdaptor in C# (.NET 2.0)
How to catch all exceptions in Flex?
Sql Server 2005 error handling - inner exception
Error handling in BASH
How to capture crash logs in Java
Php function argument error suppression, empty() isset() emulation
Print stack trace information from C#
How do you manage your app when the database goes offline?
Can I detect and handle MySQL Warnings with PHP?
How to catch unhandled exceptions when using .NET Remoting
Error handling / error logging in C++ for library/app combo
How to Catch an exception in a using block with .NET 2.0?
How to catch SQLServer timeout exceptions
.NET - Throwing Exceptions best practices
How do I log uncaught exceptions in PHP?
What's the best way to report errors from a SharePoint workflow?
Is there a method for handling errors from COM objects in RDML?
How do you log errors (Exceptions) in your ASP.NET apps?
Using unhandled exceptions instead of Contains()?
Global Exception Handling for winforms control
Reducing duplicate error handling code in C#?