This week's book giveaway is in the Kotlin forum.
We're giving away four copies of Kotlin in Action and have Dmitry Jemerov & Svetlana Isakova on-line!
See this thread for details.
Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

production environnement - http 500 error page - no stacktrace please  RSS feed

Jean-Francois Samson
Posts: 2
Java Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi guys,

Here’s the context:

I work for a very large enterprise. Here, we have many WebSphere Application Server clusters, each running many J2EE web applications. Most (but not all) of these applications contain special directives in their web.xml to display custom error page when an unexpected exception occurs. Here’s an example:
By doing that, of course, we aim to show a friendly error page to our customers, but furthermore, we mainly aim to hide the stacktraces which are usually included in standard http 500 error pages. As you should know, these stacktraces include a lot of sensitive data such as packages’ names, classes’ names and even methods’ names. Worst, sometime, these stacktraces contain SQL exceptions, which often reveal which databases server software is used. Even worst, sometime, these stacktraces contain file and folder paths, which, in turn, can reveal on which operating systems’ family our WebSphere Application Server runs. Do I need to mention all the other even more sensitive data which can be reveal by these stacktraces? (Usernames, port numbers, IP addresses, computer/server names, JNDI objects’ names…)

So, no big surprise here, every large enterprise needs to hide these stacktraces to their customers.

But, here’s our problem:

Sometime, even with a custom error page well configured in the web.xml file, WebSphere sends the basic error page to the customers’ web browser. I understand very well why WebSphere do that. As example, I know that when de http response’s headers are already committed, WebSphere cannot reset its buffer to send the custom error page, and then cannot do better than sending a basic error page.

So, here are my questions:

Is it possible to configure WebSphere so it never ever includes any stacktrace in its basic error page? This way, even when, for some technical reason, WebSphere cannot send our custom error page, at least the basic error page wont includes any sensitive data.

How can we do this?

It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!