1

I have an Spring Maven application written in Java that runs on tomcat on 2 different Linux servers: Server1 and Server2.

And I have the following Java code that gets executed when the user from the application does not have rights to perform a certain operation:

if (!userHasRightsToPerformOperation) {
    response.setStatus(HttpServletResponse.SC_FORBIDDEN);
    RequestDispatcher rd = request.getRequestDispatcher("No_Rights_Exception_Page.jsp");
    rd.forward(request, response);
}

On the first server Server1, when the user does not have rights to perform an operation, the content of the No_Rights_Exception_Page.jsp is rendered correctly.

On the second server Server2, when the user does not have rights to perform an operation, instead of seeing the content of the No_Rights_Exception_Page.jsp page, the user gets an error from the browser, like "Secure Connection Failed" (in Firefox) or "This site can't be reached"(in Chrome) after submitting the request like 10 times or so.

I assume that there is a difference is how the 2 servers are set up or in how the tomcat in set up on those servers, but I do not know where to look.

If I remove the line that sets the status to 403, everything works as expected on both servers - the content of the No_Rights_Exception_Page.jsp is rendered as expected. Unfortunately, this is not a valid option for me as this strategy (with setting the status to 403 when access is forbidden is used all across the application) and this sollution would imply a lot of changes just for fixing something that seems to be a server setting issue.

Do you have any idea where I should look for this setting?

Later Edit:

I have looked at the logs generated in catalina.out when starting tomcat and these are the setting differences between the 2 servers:

On the good server, Service1, I have:

Server version: Apache Tomcat/8.5.28
JVM Version: 1.8.0_162-b12
Command line argument: -XX:MaxMetaspaceSize=8g
Command line argument: -Dignore.endorsed.dirs=

On the faulty server, Server2, I have:

Server version: Apache Tomcat/8.5.14
JVM Version: 1.8.0_131-b11

But I do not think that the version 8.5.14 is causing this issue as I have the same version on my local machine and everything is working as expected on my local machine.

Also, the jsp is compiled correctly on both servers. And if I put a System.out.println("test message") in it, I can see that "test message" output in the catalina.out log, so it means that it reaches the code, but in the browser the response body is empty.

My guess is that there is a security setting enforced on the second server so that when a response has the status 403, it overrides the response body and it sends an empty response body instead. But I have no idea what to look and where to look for this setting.

Denisa
  • 330
  • 2
  • 9
  • Which exact Tomcat version are you running (on both servers) ? If there is a dump of all System Properties at the beginning of the catalina.out log file when you are starting it, are all the properties the same on both servers (if you don't have in log, put a JSP to dump them and compare). More important, on the faulty server, do you have the JSP compiled in the `$CATALINA_HOME/work` directory (I suppose it is automatically compiled without any problem on the good server) ? – Eugène Adell Nov 01 '18 at 22:38
  • @EugèneAdell I have responded to your questions in the question that I originally posted. Please see the "Later Edit:" section. Thanks :) – Denisa Nov 02 '18 at 13:36
  • https://stackoverflow.com/questions/38551166/403-access-denied-on-tomcat-8-manager-app-without-prompting-for-user-password check second answer – xMilos Nov 02 '18 at 13:47
  • @MasterYi that question is about access to the Tomcat Manager and how to allow access to that application. My issue has nothing to do with that. In my Java application, when the logged in user tries to perform an operation that he/she is not allowed to, the code explicitly set the status 403 on the response and forwards to the No_Rights_Exception_Page.jsp page. My issue is that when this happens the faulty server somehow overrides the response body and sets it to empty. – Denisa Nov 02 '18 at 14:40
  • @Denisa Your problem is weird. Remember that error pages can (and should) be handled at the configuration level (error-page tag in the web.xml) even if you set the status code to 403. I suggest you to remove all of your Tomcat on the second server, zip from the first and unzip again on the second (it could be a different file ordering leading to a different runtime classloading). As you say Java and Tomcat versions are not involved, I just think about this case of different classloading although all files are the same. – Eugène Adell Nov 02 '18 at 18:50

0 Answers0