tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Singleton <>
Subject Re: HTTP status code 404
Date Mon, 05 Sep 2005 19:28:30 GMT
QM wrote:
> On Mon, Sep 05, 2005 at 06:28:05PM +0100, Paul Singleton wrote:
> : But we want *no* error page, just a 404 status returned to
> : the browser, which will then presumably present this failure
> : to the user in its own way.  Or have I musunderstood 404s?

> Yes and no.  Browsers are free to interpret 404s (and any other error
> code) as they see fit.  For example, IE's "friendly error messages" will
> interpret the status code and show the user its own "not found" page
> instead of the data returned by the server.

> : Exactly what <error-page> element will achieve this, and
> : where should we call ...setStatus(...NOT_FOUND)?

> If you *really* want to leave this up to the browser, map the
> <error-page> to a JSP that simply sets a 404 response and returns no
> data.  (I forget the exact API call for this, but it's in the
> HttpServlet or HttpServletRequest JavaDoc.)

It's in javax.servlet.http.HttpServletResponse (from 2.1), hence


> ...
 > The real question is, do you really want to do this?

I *really* want to return a page which gives a hacker no indication
which web app server we're using (because our client thinks this is
good security practice) without going to the trouble of writing my
own :-)

I've tried your dataless 404 suggestion, and it indeed prompts IE
to show that familiar

   The page cannot be found

effort, but unfortunately Firefox shows a blank page, so just in case
there are ever any broken links in our web apps, I'd better not leave
it up to the browser, but write a (suitably anonymous) one of our own.

Many thanks for your help

Paul Singleton

No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/89 - Release Date: 2/Sep/2005

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message