Handle Exception and Error Page in Servlet

Question

By using the browser, when an error is throwed, i correctly being redirected to the custom error page specified in web.xml file

But why i always see the default 400 error page with it's trace in the output of curl ? I'm missing the type of exception handled (i'm using java.lang.Exception) or other ?

This is the code of the servlet:

package test.company.com;

import java.io.*;
import java.util.logging.Level;
import java.util.logging.Logger;

import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.Exception;

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

try {
  // stuff here ..

} catch (Throwable e) {
    // Log and throw the superclass Exception 
    LOGGER.log(Level.SEVERE, e.getMessage());
    throw new ServletException();
} 

}

And this is the web.xml config file:

<error-page>  
  <exception-type>javax.servlet.ServletException</exception-type>  
    <location>/error.jsp</location>  
  </error-page>
  <error-page>
  <exception-type>java.lang.Exception</exception-type>  
    <location>/error.jsp</location>  
  </error-page>
  <error-page>
    <error-code>400</error-code>
    <location>/error.jsp</location>
  </error-page> 
  <error-page>
    <error-code>404</error-code>
    <location>/error.jsp</location>
  </error-page> 
  <error-page>
    <error-code>500</error-code>
    <location>/error.jsp</location>
  </error-page>

score 1 · Answer 1 · answered May 22 '19 at 11:13

1

See the first two answers here: Which characters make a URL invalid? - you are sending <aaa> from command line, and < and > are not allowed in URL. The browser automatically encodes these characters into %3C and %3E entities when you enter them into the address field, but curl does not - it expects you to know what are you doing. ;-) Thus, Tomcat even does not invoke your servlet, and responds with the Bad Request (Error 400).

So, replace <aaa> with %3Caaa%3E in the command line, and you'll get to your servlet (and probably the expected Error 500).

answered May 22 '19 at 11:13

Jozef Chocholacek

2,874
2
20
25

Suppose you are a black hat hacker and you want to trigger the server wich hosts a web application and you try to fuzz the parameters using for example curl or burp intercepting the request and remove the URL encoding performed by the browser. From the developer perspective you want to avoid to give information about the target by setting a generic error page and remove all the errors stack trace. Why Tomcat gave me the stack trace even if i setted a custom page for all the HTTP 400 responses status code? The question is about this :) – May 22 '19 at 11:55
2

Ah, ok, my bad. Then the answer is here: https://stackoverflow.com/a/55702749/3511123 (TL;DR - you have to define the error page for 400 in `server.xml`, not in `web.xml`). – Jozef Chocholacek May 22 '19 at 13:05

score 0 · Accepted Answer · answered May 23 '19 at 09:15

0

Solved by setting the ErrorReportValve configuration class in server.xml of Tomcat 9, now the error stack trace is not anymore available :-)

answered May 23 '19 at 09:15

Handle Exception and Error Page in Servlet

2 Answers2