You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Assia Djambazova <ki...@gmail.com> on 2018/07/26 11:46:27 UTC
HttpServletResponse.sendError - missing message in error page
Hello,
I noticed that when using HttpServletResponse.sendError in Tomcat 7.0.90
with string message the message is no longer shown as the response is
displayed.
I reproduce this with request to simple servlet:
* public void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "TEST
ERROR MESSAGE"); }*
The result in the browser is different:
In Tomcat 7.0.90 HTTP Status 500 ? Internal Server Error
In Tomcat 7.0.88 HTTP Status 500 - TEST ERROR MESSAGE
I think that this change is the cause [1]
However, this change looks incompatible with servlet spec and breaks our
integration tests. It seems to me from the spec [2] that the message should
be displayed: *The server defaults to creating the response to look like an
HTML-formatted server error page containing the specified message, setting
the content type to "text/html"*
I use the ErrorReportValve and showReport is set to false. Reading [3]
doesn't clarify if error message is part of the error report or not and if
it should be displayed.
Thanks,
Assia
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60490
[2]
https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletResponse.html#sendError-int-java.lang.String-
[3]
https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Error_Report_Valve
Re: HttpServletResponse.sendError - missing message in error page
Posted by Michael Osipov <19...@gmx.net>.
> Hello,
>
> I noticed that when using HttpServletResponse.sendError in Tomcat 7.0.90
> with string message the message is no longer shown as the response is
> displayed.
>
> I reproduce this with request to simple servlet:
>
>
>
> * public void doGet(HttpServletRequest request, HttpServletResponse
> response) throws ServletException, IOException {
> response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "TEST
> ERROR MESSAGE"); }*
>
> The result in the browser is different:
>
> In Tomcat 7.0.90 HTTP Status 500 ? Internal Server Error
>
> In Tomcat 7.0.88 HTTP Status 500 - TEST ERROR MESSAGE
>
> I think that this change is the cause [1]
>
> However, this change looks incompatible with servlet spec and breaks our
> integration tests. It seems to me from the spec [2] that the message should
> be displayed: *The server defaults to creating the response to look like an
> HTML-formatted server error page containing the specified message, setting
> the content type to "text/html"*
>
> I use the ErrorReportValve and showReport is set to false. Reading [3]
> doesn't clarify if error message is part of the error report or not and if
> it should be displayed.
>
> Thanks,
> Assia
>
>
> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60490
> [2]
> https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletResponse.html#sendError-int-java.lang.String-
> [3]
> https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Error_Report_Valve
I wrote the new code and I do think that this change just triggered this bug in Tomcat.
Frankly, I see the same error here in production for quite some time, but wasn't
able to fully isolate the issue to a simple test case. Can you?
What you see is that some Tomcat-internal code resets the response back to normal
which you see that the en dash is not properly rendered because the character
encoding is dropped.
The Servlet Spec does not specify how the report shall look like, it is at the
discretion of the container, you should rely on that at all.
Though, I'd be very greatful if you can isolate the case, I'd really want to fix
this.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re: FW: HttpServletResponse.sendError - missing message in
error page
Posted by Michael Osipov <19...@gmx.net>.
> [...]
> > “It is implied but it could be clearer.”
>
> [...]
>
> I agree that default ErrorReportValve is not something that has to be
> backward compatible as the apps should have provided their own. Yet,
> we were using the default as it was working very well and was covering
> our needs.
>
> Honestly I don’t see the purpose of this change. Here is the changed code:
>
> 7.0.88 > sb.append(smClient.getString("errorReportValve.statusHeader",
> String.valueOf(statusCode), message)).append("</h1>");
>
> 7.0.90 > sb.append(smClient.getString("errorReportValve.statusHeader",
> String.valueOf(statusCode), reason)).append("</h1>");
>
> What is the reason to show ‘reason’ which is technical (like Internal
> Server Error), instead of ‘message’ which is end-user text?
The reasoning behind this is that message was duplicated and users shall
know that status code XXX means. Most people don't know.
> Can you rethink this change and if possible bring the old behavior?
If you are really about proper messages, you should employ a custom
error message change in the look and feel of your application.
The current valve shows you consicely status -- reason phrease, message,
status description and the stacktrace if given.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: FW: HttpServletResponse.sendError - missing message in error page
Posted by Emil Alexandroff <em...@gmail.com>.
>
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: 26 юли 2018 г. 19:04
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: HttpServletResponse.sendError - missing message in error page
>
> On 26/07/2018 13:46, Assia Djambazova wrote:
> > Hello,
> >
> > I noticed that when using HttpServletResponse.sendError in Tomcat 7.0.90
> > with string message the message is no longer shown as the response is
> > displayed.
> >
> > I reproduce this with request to simple servlet:
> >
> >
> >
> > * public void doGet(HttpServletRequest request, HttpServletResponse
> > response) throws ServletException, IOException {
> > response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "TEST
> > ERROR MESSAGE"); }*
> >
> > The result in the browser is different:
> >
> > In Tomcat 7.0.90 HTTP Status 500 ? Internal Server Error
>
> That question mark doesn't look right. I don't see it when I test this
> locally.
>
> > In Tomcat 7.0.88 HTTP Status 500 - TEST ERROR MESSAGE
> >
> > I think that this change is the cause [1]
>
> Correct.
>
> > However, this change looks incompatible with servlet spec and breaks our
> > integration tests. It seems to me from the spec [2] that the message should
> > be displayed: *The server defaults to creating the response to look like an
> > HTML-formatted server error page containing the specified message, setting
> > the content type to "text/html"*
>
> This is not a spec compliance issue. The ErrorReportValve is an optional
> component that is not enabled by default.
>
> (And the default settings of the ErrorReportValve) are spec compliant.)
>
> > I use the ErrorReportValve and showReport is set to false.
>
> Set showReport to true.
>
> > Reading [3]
> > doesn't clarify if error message is part of the error report or not and if
> > it should be displayed.
>
> It is implied but it could be clearer.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Hi Mark,
> “It is implied but it could be clearer.”
Actually at least my logic leans to the other direction. The error
message is something that is provided to the end-users. It is meant to
be internationalized and be user-friendly. And you pass it via
sendError. However, error stack trace shouldn’t be visible and the
logic to hide it with showReport=false is good one. From one hand you
hide unnecessary and confusing info for end-users, plus you lower
security attacking vector to your app. And I can add that till version
7.0.88 it was working like that.
I agree that default ErrorReportValve is not something that has to be
backward compatible as the apps should have provided their own. Yet,
we were using the default as it was working very well and was covering
our needs.
Honestly I don’t see the purpose of this change. Here is the changed code:
7.0.88 > sb.append(smClient.getString("errorReportValve.statusHeader",
String.valueOf(statusCode), message)).append("</h1>");
7.0.90 > sb.append(smClient.getString("errorReportValve.statusHeader",
String.valueOf(statusCode), reason)).append("</h1>");
What is the reason to show ‘reason’ which is technical (like Internal
Server Error), instead of ‘message’ which is end-user text?
Can you rethink this change and if possible bring the old behavior?
Kind Regards,
Emil
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HttpServletResponse.sendError - missing message in error page
Posted by Mark Thomas <ma...@apache.org>.
On 26/07/2018 13:46, Assia Djambazova wrote:
> Hello,
>
> I noticed that when using HttpServletResponse.sendError in Tomcat 7.0.90
> with string message the message is no longer shown as the response is
> displayed.
>
> I reproduce this with request to simple servlet:
>
>
>
> * public void doGet(HttpServletRequest request, HttpServletResponse
> response) throws ServletException, IOException {
> response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "TEST
> ERROR MESSAGE"); }*
>
> The result in the browser is different:
>
> In Tomcat 7.0.90 HTTP Status 500 ? Internal Server Error
That question mark doesn't look right. I don't see it when I test this
locally.
> In Tomcat 7.0.88 HTTP Status 500 - TEST ERROR MESSAGE
>
> I think that this change is the cause [1]
Correct.
> However, this change looks incompatible with servlet spec and breaks our
> integration tests. It seems to me from the spec [2] that the message should
> be displayed: *The server defaults to creating the response to look like an
> HTML-formatted server error page containing the specified message, setting
> the content type to "text/html"*
This is not a spec compliance issue. The ErrorReportValve is an optional
component that is not enabled by default.
(And the default settings of the ErrorReportValve) are spec compliant.)
> I use the ErrorReportValve and showReport is set to false.
Set showReport to true.
> Reading [3]
> doesn't clarify if error message is part of the error report or not and if
> it should be displayed.
It is implied but it could be clearer.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org