5

In UrlMappings.groovy, I have set "500"(controller:'error', action:'error') so that my own error controller (and view) is used.

It usually works, however when I tried tampering with the request input (submitting a parameter with 1MB size), I got a Tomcat generated error page with HTTP Status 500.

First I thought this error was only generated by Tomcat so that grails couldn't do anything about it, but the Exception is an org.springframework.web.util.NestedServletException (nested Exception java.lang.StackOverflowError) and there are many org.codehaus.groovy.grails packaged Classes in the stack trace.

I think showing this Exception including stack trace to potential attackers is dangerous, so how I can I configure grails to always show my own error page? Or is it only possible to configure that in Tomcat?

pnuts
  • 58,317
  • 11
  • 87
  • 139
Jörg Brenninkmeyer
  • 3,304
  • 2
  • 35
  • 50

2 Answers2

3

It's possible that this is a Grails bug. I found this Nabble thread which directed me to this JIRA issue. That issue was resolved, but in the comments Peter Ledbrook linked to a different JIRA issue that may or may not be your problem.

If that does look like what's happening for you, there's a workaround suggested in the comments, which can be found here. The bug itself is scheduled to be fixed in 1.4; the fix workaround above is targeted for 1.3

Rob Hruska
  • 118,520
  • 32
  • 167
  • 192
  • I would like to try the fix, but when I run "grails install-plugin myFolder/grails-error-pages-fix.zip" grails seems to look for it online instead of using the local version. And it isn't available via the standard repository... it's only here on github: https://github.com/alkemist/grails-error-pages-fix Any idea how I can install it? – Jörg Brenninkmeyer Dec 09 '10 at 14:47
  • You can probably download the source (the Download button in the top-rightish), extract it, build it, and then install the plugin with the built distributable. I can't say I've ever installed a Grails plugin from Github, so I'm afraid I'm not the best to instruct you. But perhaps someone else can chime in. – Rob Hruska Dec 09 '10 at 14:57
  • I got it now using "install-plugin http://download.github.com/alkemist-grails-error-pages-fix-303f215.zip". But the installer fails saying "No plugin.xml descriptor found!" (and it's really not there). I guess it's not a real plug-in but has to be integrated into the project manually... – Jörg Brenninkmeyer Dec 09 '10 at 16:47
  • Thanks to a reply from the author, I got it working simply using "grails install-plugin error-pages-fix"! However I checked and it does NOT solve the problem unfortunately. – Jörg Brenninkmeyer Dec 30 '10 at 11:59
1

Agreeing with Rob Hruska, having stumbled across most of his links myself.

I, too, suspect that the grails-error-pages-fix plugin ought to fix the issue - as the grailsWebRequest servlet by default doesn't have a <dispatcher>ERROR</dispatcher> assigned in web.xml.

The technique used with this plugin basically does the same as the technique that I'd suggested in a previous post. (Nevertheless, my own testings, as can be seen by my comments there, haven't led to consistent findings yet.)

Finally, one thing that would work at any rate is to implement a custom servlet Filter.

Community
  • 1
  • 1
robbbert
  • 2,183
  • 15
  • 15
  • +1 For the custom Filter, I do that in most of my applications, since it provides more control (as opposed to letting the container handle your errors for you). – Rob Hruska Dec 09 '10 at 14:54