9

I am running a Tomcat on AWS. The problem is that when a request crashes with an exception, Tomcat not only sends the 503, but also sends the exception's stack trace in HTML. This exposes my source code to a viewer who doesn't need to see it.

How do I disable this?

Dave M
  • 4,514
  • 22
  • 31
  • 30
f.khantsis
  • 331
  • 3
  • 6
  • 13

1 Answers1

13

The error page is generated by a simple error handler, the Error Report Valve. You can hide stack traces (showReport) as well as the server info by adding these lines to your server.xml's Host section:

<Valve className="org.apache.catalina.valves.ErrorReportValve"
    showReport="false" 
    showServerInfo="false" />

Another solution is to use custom, user friendly error pages for every HTTP error code:

<error-page>
    <error-code>500</error-code>
    <location>/error500.jsp</location>
</error-page>

as well as for every different Throwable:

<error-page>
    <exception-type>java.lang.Exception</exception-type>
    <location>/error-Exception.jsp</location>
</error-page>

<error-page>
    <exception-type>java.sql.SQLException</exception-type>
    <location>/error-SQLException.jsp</location>
</error-page>
StackzOfZtuff
  • 1,842
  • 13
  • 21
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • I looked through server.xml, but it has no ErrorReportValve. Is this valve added implicitly, and I need to explicitly set it to don't showReport? – f.khantsis Mar 23 '17 at 16:49
  • 2
    `server.xml` doesn't initially include all the possible executors, connectors, containers, components, elements and their possible combinations from the [Tomcat Config Reference](https://tomcat.apache.org/tomcat-7.0-doc/config/). – Esa Jokinen Mar 24 '17 at 08:33