Disable all default HTTP error response content in Tomcat

Question

By default, Tomcat sends some HTML content back to the client if it encounters something like an HTTP 404. I know that via web.xml an

Answer 1

If you do not want tomcat to show an error page, then do not use sendError(...). Instead use setStatus(...).

e.g. if you want to give a 405 response, then you do

response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);      
response.getWriter().println("The method " + request.getMethod() + 
   " is not supported by this service.");

Also remember not to throw any Exceptions from your servlet. Instead catch the Exception and, again, set the statusCode your self.

i.e.

protected void service(HttpServletRequest request,
      HttpServletResponse response) throws IOException {
  try {

    // servlet code here, e.g. super.service(request, response);

  } catch (Exception e) {
    // log the error with a timestamp, show the timestamp to the user
    long now = System.currentTimeMillis();
    log("Exception " + now, e);
    response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    response.getWriter().println("Guru meditation: " + now);
  }
}

of course, if you do not want any content, then just don't write anything to the writer, just set the status.

Answer 2

Though this question is a bit old, I ran into this problem too. First of all, Tomcat's behavior is absolutely correct. This is per Servlet Spec. One should not alter Tomcat's behavior against the spec. As Heikki Vesalainen and mrCoder mentioned, use setStatus and setStatus only.

To whom it may concern, I have raised a ticket with Tomcat to improve the docs of sendError.

Answer 3

Although it's Servlet spec compliant, for security reasons I don't want tomcat or any other Servlet container to send error details. I struggled with this as well a bit. After searching and trying, the solution can be summed up as:

1. as others mentioned, don't use sendError(), use setStatus() instead
2. frameworks like e.g. Spring Security use sendError() though...
3. write a Filter that
   a. redirects calls to sendError() to setStatus()
   b. flushes the response at the end to prevent the container from further modifying the response

A little example servlet filter doing this can be found here.

Answer 4

Why not just configure the <error-page> element with an empty HTML page?

Answer 5

Configure <error-page> Elements in web.xml

Edit $CATALINA_HOME/conf/web.xml, add at the end the following <error-page>, save and restart tomcat

<web-app>

...
...
...

    <error-page>
        <error-code>404</error-code>
        <location>/404.html</location>
    </error-page>

    <error-page>
        <error-code>500</error-code>
        <location>/500.html</location>
    </error-page>

    <error-page>
        <error-code>400</error-code>
        <location>/400.html</location>
    </error-page>

</web-app>

• It works great as I expect even though I didn't actually created a valid routes for those specified location values (e.g. /400.html)

---

before

after

Answer 6

Although this doesn't respond exactly to the "not send anything" statement on the question, and on the wave of Clive Evans' answer, I found out that in tomcat you can make those too much verbose texts go away from error pages without creating a custom ErrorReportValve.

You can accomplish to this customizing ErrorReportValve through the 2 params "showReport" and "showServerInfo" on your "server.xml":

<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />

Link to official documentation.

Worked for me on tomcat 7.0.55, didn't work for me on tomcat 7.0.47 (I think because of something reported on the following link http://www.mail-archive.com/users@tomcat.apache.org/msg113856.html)