You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mitch <mi...@upcmail.nl.INVALID> on 2023/02/24 11:18:42 UTC

Issue with request context empty after http error

Hello,

I’m currently trying to resolve an issue from our customer about a tomcat version visible if bad characters are inserted into the URL (steps to reproduce is to add a ‘{‘) This produces an HTTP 400 and redirects you to the default tomcat error page with a stacktrace and version number.
To resolve this, I want every generic http error to redirect to a logout servlet which then immediately kills the session (not elegant, but sufficient enough for our customer). To do this I could use an ErrorReportValve, but that from what I understand is only able to go to static HTML pages (a jsp would’ve worked for me here as well bit doesn't seem possible?). Instead I should be able to define http errors in the web.xml. This functionality doesn’t seem to work for me.

Debugging my issue I find that in order for this to work, it needs to trigger a status(req,res) function in StandardHostValve.java. This should be done by the default ErrorReportValve’s invoke(req,res) . When this happens tho, the first step in invoke is checking if the context is null. This is always the case for me, because the uri never gets set because it’s an invalid uri (with an invalid character). If the context is null, the status function is never called, and thus the default error page gets generated instead.

My question is as followed. Is this a bug or is this a possible fault in my configuration? My configuration is as followed (some values masked for security reasons)

Tomcat version tested: 9.0.62, 9.0.72
Host OS: Windows 10
Java version: 11.0.4

— ${CATALINA_HOME}/conf/server.xml —

<?xml version=‘1.0’ encoding=‘utf-8’?>
<Server port=“8005” shutdown=“SHUTDOWN”>
    <Listener className=“org.apache.catalina.core.JreMemoryLeakPreventionListener” />
    <Listener className=“org.apache.catalina.mbeans.GlobalResourceLifecycleListener” />
    <Listener className=“org.apache.catalina.core.ThreadLocalLeakPreventionListener” />

    <Service name=“xxx”>
        <Connector port=“443” protocol=“org.apache.coyote.http11.Http11NioProtocol” enableLookups=“false” SSLEnabled=“true” scheme=“https” secure=“true” clientAuth=“false” sslProtocol=“TLS” sslImplementationName=“ourCustomImplementation” />
        <Engine name=“xxx” defaultHost=“localhost”>
            <Host name=“localhost” appBase=“webapps” unpackWARs=“true” autoDeploy=“true”/>
        </Engine
    </Service>
</Server>

— ${CATALINA_HOME}/webapps/ROOT/WEB-INF/web.xml —

<web-app xmlns=“http://java.sun.com/xml/ns/javaee” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=“http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd” version=“3.0”>

    <error-page>
        <location>/logout.htm</location>
    </error-page>
</web-app>

All servlet mapping is done with Spring web MVC

Regards,

Mitch