Discussion:
HttpServletResponse.sendError - missing message in error page
Assia Djambazova
2018-07-26 11:46:27 UTC
Permalink
Hello,

I noticed that when using HttpServletResponse.sendError in Tomcat 7.0.90
with string message the message is no longer shown as the response is
displayed.

I reproduce this with request to simple servlet:



* public void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "TEST
ERROR MESSAGE"); }*

The result in the browser is different:

In Tomcat 7.0.90 HTTP Status 500 ? Internal Server Error

In Tomcat 7.0.88 HTTP Status 500 - TEST ERROR MESSAGE

I think that this change is the cause [1]

However, this change looks incompatible with servlet spec and breaks our
integration tests. It seems to me from the spec [2] that the message should
be displayed: *The server defaults to creating the response to look like an
HTML-formatted server error page containing the specified message, setting
the content type to "text/html"*

I use the ErrorReportValve and showReport is set to false. Reading [3]
doesn't clarify if error message is part of the error report or not and if
it should be displayed.

Thanks,
Assia


[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60490
[2]
https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletResponse.html#sendError-int-java.lang.String-
[3]
https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Error_Report_Valve
Michael Osipov
2018-07-26 12:32:52 UTC
Permalink
Post by Assia Djambazova
Hello,
I noticed that when using HttpServletResponse.sendError in Tomcat 7.0.90
with string message the message is no longer shown as the response is
displayed.
* public void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "TEST
ERROR MESSAGE"); }*
In Tomcat 7.0.90 HTTP Status 500 ? Internal Server Error
In Tomcat 7.0.88 HTTP Status 500 - TEST ERROR MESSAGE
I think that this change is the cause [1]
However, this change looks incompatible with servlet spec and breaks our
integration tests. It seems to me from the spec [2] that the message should
be displayed: *The server defaults to creating the response to look like an
HTML-formatted server error page containing the specified message, setting
the content type to "text/html"*
I use the ErrorReportValve and showReport is set to false. Reading [3]
doesn't clarify if error message is part of the error report or not and if
it should be displayed.
Thanks,
Assia
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60490
[2]
https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletResponse.html#sendError-int-java.lang.String-
[3]
https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Error_Report_Valve
I wrote the new code and I do think that this change just triggered this bug in Tomcat.
Frankly, I see the same error here in production for quite some time, but wasn't
able to fully isolate the issue to a simple test case. Can you?

What you see is that some Tomcat-internal code resets the response back to normal
which you see that the en dash is not properly rendered because the character
encoding is dropped.

The Servlet Spec does not specify how the report shall look like, it is at the
discretion of the container, you should rely on that at all.

Though, I'd be very greatful if you can isolate the case, I'd really want to fix
this.

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Mark Thomas
2018-07-26 16:04:17 UTC
Permalink
Post by Assia Djambazova
Hello,
I noticed that when using HttpServletResponse.sendError in Tomcat 7.0.90
with string message the message is no longer shown as the response is
displayed.
* public void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "TEST
ERROR MESSAGE"); }*
In Tomcat 7.0.90 HTTP Status 500 ? Internal Server Error
That question mark doesn't look right. I don't see it when I test this
locally.
Post by Assia Djambazova
In Tomcat 7.0.88 HTTP Status 500 - TEST ERROR MESSAGE
I think that this change is the cause [1]
Correct.
Post by Assia Djambazova
However, this change looks incompatible with servlet spec and breaks our
integration tests. It seems to me from the spec [2] that the message should
be displayed: *The server defaults to creating the response to look like an
HTML-formatted server error page containing the specified message, setting
the content type to "text/html"*
This is not a spec compliance issue. The ErrorReportValve is an optional
component that is not enabled by default.

(And the default settings of the ErrorReportValve) are spec compliant.)
Post by Assia Djambazova
I use the ErrorReportValve and showReport is set to false.
Set showReport to true.
Post by Assia Djambazova
Reading [3]
doesn't clarify if error message is part of the error report or not and if
it should be displayed.
It is implied but it could be clearer.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Emil Alexandroff
2018-07-27 10:35:31 UTC
Permalink
-----Original Message-----
Sent: 26 юли 2018 г. 19:04
Subject: Re: HttpServletResponse.sendError - missing message in error page
Post by Assia Djambazova
Hello,
I noticed that when using HttpServletResponse.sendError in Tomcat 7.0.90
with string message the message is no longer shown as the response is
displayed.
* public void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "TEST
ERROR MESSAGE"); }*
In Tomcat 7.0.90 HTTP Status 500 ? Internal Server Error
That question mark doesn't look right. I don't see it when I test this
locally.
Post by Assia Djambazova
In Tomcat 7.0.88 HTTP Status 500 - TEST ERROR MESSAGE
I think that this change is the cause [1]
Correct.
Post by Assia Djambazova
However, this change looks incompatible with servlet spec and breaks our
integration tests. It seems to me from the spec [2] that the message should
be displayed: *The server defaults to creating the response to look like an
HTML-formatted server error page containing the specified message, setting
the content type to "text/html"*
This is not a spec compliance issue. The ErrorReportValve is an optional
component that is not enabled by default.
(And the default settings of the ErrorReportValve) are spec compliant.)
Post by Assia Djambazova
I use the ErrorReportValve and showReport is set to false.
Set showReport to true.
Post by Assia Djambazova
Reading [3]
doesn't clarify if error message is part of the error report or not and if
it should be displayed.
It is implied but it could be clearer.
Mark
---------------------------------------------------------------------
Hi Mark,
“It is implied but it could be clearer.”
Actually at least my logic leans to the other direction. The error
message is something that is provided to the end-users. It is meant to
be internationalized and be user-friendly. And you pass it via
sendError. However, error stack trace shouldn’t be visible and the
logic to hide it with showReport=false is good one. From one hand you
hide unnecessary and confusing info for end-users, plus you lower
security attacking vector to your app. And I can add that till version
7.0.88 it was working like that.

I agree that default ErrorReportValve is not something that has to be
backward compatible as the apps should have provided their own. Yet,
we were using the default as it was working very well and was covering
our needs.

Honestly I don’t see the purpose of this change. Here is the changed code:

7.0.88 > sb.append(smClient.getString("errorReportValve.statusHeader",
String.valueOf(statusCode), message)).append("</h1>");

7.0.90 > sb.append(smClient.getString("errorReportValve.statusHeader",
String.valueOf(statusCode), reason)).append("</h1>");

What is the reason to show ‘reason’ which is technical (like Internal
Server Error), instead of ‘message’ which is end-user text?

Can you rethink this change and if possible bring the old behavior?

Kind Regards,
Emil

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Michael Osipov
2018-07-30 08:19:16 UTC
Permalink
Post by Emil Alexandroff
[...]
“It is implied but it could be clearer.”
[...]
I agree that default ErrorReportValve is not something that has to be
backward compatible as the apps should have provided their own. Yet,
we were using the default as it was working very well and was covering
our needs.
7.0.88 > sb.append(smClient.getString("errorReportValve.statusHeader",
String.valueOf(statusCode), message)).append("</h1>");
7.0.90 > sb.append(smClient.getString("errorReportValve.statusHeader",
String.valueOf(statusCode), reason)).append("</h1>");
What is the reason to show ‘reason’ which is technical (like Internal
Server Error), instead of ‘message’ which is end-user text?
The reasoning behind this is that message was duplicated and users shall
know that status code XXX means. Most people don't know.
Post by Emil Alexandroff
Can you rethink this change and if possible bring the old behavior?
If you are really about proper messages, you should employ a custom
error message change in the look and feel of your application.

The current valve shows you consicely status -- reason phrease, message,
status description and the stacktrace if given.

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Loading...