Closed raffomania closed 5 years ago
You can just catch the exception thrown by the handler, then return a static error response:
(defn wrap-hide-exceptions [handler error-response]
(fn [request]
(try (handler request)
(catch Exception _ error-response))))
Cool, I'd suggest two things -
lein-ring
has the :stacktraces?
option to do this, would it make sense to set this to false
when LEIN_NO_DEV
is set?I'm suggesting this because I was very surprised when seeing this in my live app, and think it's very reasonable to disable this as soon as some indication of a production environment is present.
Also, with your proposed solution, I would have to re-implement error logging - not optimal...
Also, with your proposed solution, I would have to re-implement error logging - not optimal...
You can combine it with ring.middleware.stacktrace/wrap-stacktrace-log
.
I might create a separate "ring-errors" or "ring-production" library to collect useful middleware functions like this, which in turn can be included in ring-defaults. However, this not currently a high priority for me.
Another option is to use a more complete web framework, which may have functions like this built in. Duct, for example, handles this for you. Ring is a lower level abstraction layer, which means you have typically have to do a little more leg work.
You can combine it with ring.middleware.stacktrace/wrap-stacktrace-log.
Thanks, that's a good tip.
Ring is a lower level abstraction layer
I think it's important to distinguish between "added security features" and "included insecure features". I would argue that it makes sense for a lower level abstraction layer to remove a feature that is clearly problematic in lots of use-cases, making the software simpler. I'm actually kind of surprised - did no one else bring this up yet?
Also, is this behavior a part of ring or a part of jetty? I didn't find any reference of it in the docs.
I would argue that it makes sense for a lower level abstraction layer to remove a feature that is clearly problematic in lots of use-cases, making the software simpler.
What you're seeing probably isn't a feature in Ring, unless you've added wrap-stacktrace
to your middleware stack. You're likely seeing Jetty's default response to an unhandled exception.
Alright, I should probably read into jetty deployment. Thanks for the patience and quick explanations!
I'm running my application using the jetty adapter, as described in the docs. However, I can't find any option to disable stacktrace printing in responses! This is unfortunate as jetty is now showing my db password to everybody when I have an error in my jdbc dbspec.