tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emil Alexandroff <emil.alexandr...@gmail.com>
Subject Re: FW: HttpServletResponse.sendError - missing message in error page
Date Fri, 27 Jul 2018 10:35:31 GMT
>
> -----Original Message-----
> From: Mark Thomas <markt@apache.org>
> Sent: 26 юли 2018 г. 19:04
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: HttpServletResponse.sendError - missing message in error page
>
> On 26/07/2018 13:46, Assia Djambazova wrote:
> > Hello,
> >
> > I noticed that when using HttpServletResponse.sendError in Tomcat 7.0.90
> > with string message the message is no longer shown as the response is
> > displayed.
> >
> > I reproduce this with request to simple servlet:
> >
> >
> >
> > *    public void doGet(HttpServletRequest request, HttpServletResponse
> > response) throws ServletException, IOException {
> >   response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "TEST
> > ERROR MESSAGE");    }*
> >
> > The result in the browser is different:
> >
> > In Tomcat 7.0.90  HTTP Status 500 ? Internal Server Error
>
> That question mark doesn't look right. I don't see it when I test this
> locally.
>
> > In Tomcat 7.0.88  HTTP Status 500 - TEST ERROR MESSAGE
> >
> > I think that this change is the cause [1]
>
> Correct.
>
> > However, this change looks incompatible with servlet spec and breaks our
> > integration tests. It seems to me from the spec [2] that the message should
> > be displayed: *The server defaults to creating the response to look like an
> > HTML-formatted server error page containing the specified message, setting
> > the content type to "text/html"*
>
> This is not a spec compliance issue. The ErrorReportValve is an optional
> component that is not enabled by default.
>
> (And the default settings of the ErrorReportValve) are spec compliant.)
>
> > I use the ErrorReportValve and showReport is set to false.
>
> Set showReport to true.
>
> > Reading [3]
> > doesn't clarify if error message is part of the error report or not and if
> > it should be displayed.
>
> It is implied but it could be clearer.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

Hi Mark,

> “It is implied but it could be clearer.”

Actually at least my logic leans to the other direction. The error
message is something that is provided to the end-users. It is meant to
be internationalized and be user-friendly. And you pass it via
sendError. However, error stack trace shouldn’t be visible and the
logic to hide it with showReport=false is good one. From one hand you
hide unnecessary and confusing info for end-users, plus you lower
security attacking vector to your app. And I can add that till version
7.0.88 it was working like that.

I agree that default ErrorReportValve is not something that has to be
backward compatible as the apps should have provided their own. Yet,
we were using the default as it was working very well and was covering
our needs.

Honestly I don’t see the purpose of this change. Here is the changed code:

7.0.88 > sb.append(smClient.getString("errorReportValve.statusHeader",
String.valueOf(statusCode), message)).append("</h1>");

7.0.90 > sb.append(smClient.getString("errorReportValve.statusHeader",
String.valueOf(statusCode), reason)).append("</h1>");

What is the reason to show ‘reason’ which is technical (like Internal
Server Error), instead of ‘message’ which is end-user text?

Can you rethink this change and if possible bring the old behavior?

Kind Regards,
Emil

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message