Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Question about HTTPS bad request error message
Hello Joakim,

Thanks, that does take care of the stack trace. It seems like the call must to be done on the server.getErrorHandler which is not defined (null) until the server has been started. Perhaps I am doing it wrong but doing server.getErrorHandler.setShowStacks(false) directly after server.start works.

I will now see if the customer are satisfied with the current behavior and if not I will look into the suggestions Simone did about custom error pages.

Cheers,

Silvio


On 22-07-19 14:17, Joakim Erdfelt wrote:
One word of warning.

Error 400 is a bit unique and special in that many kinds of error 400 happen very early in the processing of a potential incoming request.
Many times the error 400 occurs before a context is known and as a result the error is served directly from the server, and not a context that would have the ErrorPageErrorHandler API.

If the concern is that the error page has a stacktrace, then you can turn that off in the ErrorHandler.setShowStacks(false).
A typical setup on a server is that the server itself has a generic ErrorHandler, and each context (webapp) has it's own ErrorPageErrorHandler which has mappings for exceptions or status codes to resources (dynamic or static) that handle the error.

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Mon, Jul 22, 2019 at 6:58 AM Simone Bordet <sbordet@xxxxxxxxxxx> wrote:
Hi,

On Mon, Jul 22, 2019 at 12:25 PM Silvio Bierman
<sbierman@xxxxxxxxxxxxxxxxxx> wrote:
>
> Hello all,
>
> We run an application that embeds Jetty 9.4.19. Upon receiving a
> malformed request where the Host header has been deliberately set to
> 127.0.0.1 (and therefore does not match the request URL) our server
> responds with:
>
> HTTP ERROR 400
>
> Problem accessing /. Reason:
>
> Host does not match SNI
>
> Caused by:
>
> <stacktrace>
>
> During a pen-test that was done by one of our customers this was deemed
> too much internal information. What is the most easy way to configure
> the error info that we return upon such requests?

Custom error pages, by using the ErrorPageErrorHandler API, see e.g.
https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-servlet/src/test/java/org/eclipse/jetty/servlet/ErrorPageTest.java.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top