• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

production environnement - http 500 error page - no stacktrace please

 
Greenhorn
Posts: 2
Spring Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi guys,

Here’s the context:

I work for a very large enterprise. Here, we have many WebSphere Application Server clusters, each running many J2EE web applications. Most (but not all) of these applications contain special directives in their web.xml to display custom error page when an unexpected exception occurs. Here’s an example:
By doing that, of course, we aim to show a friendly error page to our customers, but furthermore, we mainly aim to hide the stacktraces which are usually included in standard http 500 error pages. As you should know, these stacktraces include a lot of sensitive data such as packages’ names, classes’ names and even methods’ names. Worst, sometime, these stacktraces contain SQL exceptions, which often reveal which databases server software is used. Even worst, sometime, these stacktraces contain file and folder paths, which, in turn, can reveal on which operating systems’ family our WebSphere Application Server runs. Do I need to mention all the other even more sensitive data which can be reveal by these stacktraces? (Usernames, port numbers, IP addresses, computer/server names, JNDI objects’ names…)

So, no big surprise here, every large enterprise needs to hide these stacktraces to their customers.



But, here’s our problem:

Sometime, even with a custom error page well configured in the web.xml file, WebSphere sends the basic error page to the customers’ web browser. I understand very well why WebSphere do that. As example, I know that when de http response’s headers are already committed, WebSphere cannot reset its buffer to send the custom error page, and then cannot do better than sending a basic error page.



So, here are my questions:

Is it possible to configure WebSphere so it never ever includes any stacktrace in its basic error page? This way, even when, for some technical reason, WebSphere cannot send our custom error page, at least the basic error page wont includes any sensitive data.

How can we do this?



Thanks,
reply
    Bookmark Topic Watch Topic
  • New Topic