In UrlMappings.groovy
, I have set "500"(controller:'error', action:'error')
so that my own error controller (and view) is used.
It usually works, however when I tried tampering with the request input (submitting a parameter with 1MB size), I got a Tomcat generated error page with HTTP Status 500.
First I thought this error was only generated by Tomcat so that grails couldn't do anything about it, but the Exception is an org.springframework.web.util.NestedServletException
(nested Exception java.lang.StackOverflowError
) and there are many org.codehaus.groovy.grails
packaged Classes in the stack trace.
I think showing this Exception including stack trace to potential attackers is dangerous, so how I can I configure grails to always show my own error page? Or is it only possible to configure that in Tomcat?
It's possible that this is a Grails bug. I found this Nabble thread which directed me to this JIRA issue. That issue was resolved, but in the comments Peter Ledbrook linked to a different JIRA issue that may or may not be your problem.
If that does look like what's happening for you, there's a workaround suggested in the comments, which can be found here. The bug itself is scheduled to be fixed in 1.4; the fix workaround above is targeted for 1.3
Agreeing with Rob Hruska, having stumbled across most of his links myself.
I, too, suspect that the grails-error-pages-fix plugin ought to fix the issue - as the grailsWebRequest
servlet by default doesn't have a <dispatcher>ERROR</dispatcher>
assigned in web.xml.
The technique used with this plugin basically does the same as the technique that I'd suggested in a previous post. (Nevertheless, my own testings, as can be seen by my comments there, haven't led to consistent findings yet.)
Finally, one thing that would work at any rate is to implement a custom servlet Filter
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With