Best IT Recipes

Disable all HTTP HTTP error messages by default in Tomcat

By default, Tomcat sends some HTML content back to the client if it encounters something like HTTP 404. I know that through web.xml a <error-page> can be configured to configure this content.

However, I would like Tomcat not to send anything in terms of the content of the response (of course, I still need a status code). Is there a way to easily configure this?

I try to avoid A) explicitly sending empty content in the response stream from my Servlet, and B) setting up custom error pages for a whole group of HTTP error statuses in my web.xml .

For some background, I am developing an HTTP API and controlling my own response content. For example, for HTTP 500, I populate some XML content in a response containing error information. For situations such as HTTP 404, an HTTP response is sufficient for an HTTP response, and sending tomcat content is not required. If there is another approach, I am open to listening to it.

Edit: After continuing the investigation, I still cannot find a solution. If someone can finally say that this is impossible, or provide the resource with evidence that it will not work, I will accept this as an answer and try to get around it.

+54
java tomcat servlets
Apr 27 '09 at 16:42
source share
7 answers

If you do not want tomcat to display the error page, do not use sendError (...). Use setStatus (...) instead.

eg. if you want to give a 405 answer then you do

 response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); response.getWriter().println("The method " + request.getMethod() + " is not supported by this service.");

Also remember to throw any Exceptions from your servlet. Instead, catch the Exception and, again, set the statusCode yourself.

i.e.

 protected void service(HttpServletRequest request, HttpServletResponse response) throws IOException { try { // servlet code here, eg super.service(request, response); } catch (Exception e) { // log the error with a timestamp, show the timestamp to the user long now = System.currentTimeMillis(); log("Exception " + now, e); response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); response.getWriter().println("Guru meditation: " + now); } }

Of course, if you don’t need any content, then just don’t write anything to the writer, just set the status.

+39
Sep 20 '09 at 13:39
source

Despite the fact that this does not respond specifically to the "do not send anything" instructions on this issue and in the wake of Clive Evans' answer, I learned that in tomcat you can make these too many text texts leave the error pages without creating a custom ErrorReportValve.

You can perform this ErrorReportValve setup through 2 parameters "showReport" and "showServerInfo" on your "server.xml":

 <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />

Link to official documentation .

Worked for me on tomcat 7.0.55, did not work for me on tomcat 7.0.47 (I think because of something reported via the following link <a2> )

+26
Aug 11 '14 at 7:14
source

As Heikki said, setting status instead of sendError() causes Tomcat not to touch the object / body / payload of the response.

If you want to send response headers without any entity, as in my case,

 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setContentLength(0);

does the trick. If Content-Length: 0 , print() will not have an effect, even if it is used, for example:

 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setContentLength(0); response.getWriter().print("this string will be ignored due to the above line");

the client gets something like:

 HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 0 Date: Wed, 28 Sep 2011 08:59:49 GMT

If you want to send an error message, use setContentLength() with the message length (other than zero) or you can leave it on the server

+9
Sep 28 2018-11-11T00:
source

A quick, slightly dirty, but easy way to stop Tomcat from sending any kind of error body is to call setErrorReportValveClass against the tomcat host with a custom error report valve that cancels the report to do nothing. i.e:

 public class SecureErrorReportValve extends ErrorReportValve { @Override protected void report(Request request,Response response,Throwable throwable) { } }

and install it with:

  ((StandardHost) tomcat.getHost()).setErrorReportValveClass(yourErrorValveClassName);

If you want to send your message and just think that Tomcat should not mess with it, you want something like:

 @Override protected void report(final Request request, final Response response, final Throwable throwable) { String message = response.getMessage(); if (message != null) { try { response.getWriter().print(message); response.finishResponse(); } catch (IOException e) { } } }
+8
Nov 17 '11 at 11:12
source

Although it is compatible with servlets, for security reasons, I don't want tomcat or any other Servlet container to send error data. I also struggled a bit with this. After searching and trying, the solution can be summarized as:

  • as mentioned above, don't use sendError() , use setStatus() instead
  • for example, for example. Spring Using sendError() security though ...
  • write Filter to a. redirects calls to sendError() to setStatus()
    b. discards the response at the end to prevent further modification of the response container

The following is a small example of a servlet filter .

+5
Jan 16 '13 at 9:47 on
source

Why not just set up an <error-page> element with an empty HTML page?

+2
Apr 27 '09 at 17:51
source

Although this question is a bit old, I ran into this problem. First of all, the behavior of Tomcat is absolutely correct. This is for servlet. You should not change the behavior of Tomcat against the specification. As mentioned in Heikki Vesalainen and mrCoder, use only setStatus and setStatus .

sendError this may concern, I picked up a ticket with Tomcat to improve sendError .

+1
Nov 23 '12 at 21:16
source


More articles:


All Articles