How to avoid users getting 500 Errors when server throw exception - security

I get the following errors in my server log.
2012-03-06 09:20:43 HTTP JVM: CLFAD0211E: Exception thrown. For more detailed information, please consult error-log-0.xml located in D:/Lotus/Domino/data/domino/workspace/logs
2012-03-06 09:20:43 HTTP JVM: CLFAD0229E: Security exception occurred servicing request for: /demo.nsf/home.xsp - HTTP Code: 500. For more detailed information, please consult error-log-0.xml located in D:/Lotus/Domino/data/domino/workspace/logs
The user only sees this in the webbrowser (source)
<html>
<head>
<title>Error</title></head>
<body text="#000000">
<h1>Error 500</h1>HTTP Web Server: Command Not Handled Exception</body>
</html>
So I can tell by the server log that there is a security exception thrown at the server, probably because I have wrong settings in my java.policy file. but my issue is not what is causing the error, but rather how can I avoid users getting these ugly 500 errors.
I would like the error page I have set in the application to be presented to the user just like any other exception.
possible?

The more try/catch blocks you have in your code, the better (within reason, of course):
try {
// code that might throw an error
} catch (e) {
// examine the error to see if there's a workaround
// if not, log it and inform the user
} finally {
// any code that needs to run whether or not there was an error
}
This way if something fails, it fails gracefully. Just be sure to make it obvious to the user that something went wrong (and, preferably, provide them instructions they can actually follow up on)... failing silently is even worse than an ugly error page if something went wrong and the user thinks everything was fine.
P.S. As Stephan indicates, there are some errors that simply can't be caught. If the XPage wasn't signed by someone with access to run XPages, for instance, it never even gets to the point of trying to run your code... the page itself is invalid, so there's nothing you can do at runtime. Always make sure that your XPages are signed during deployment.

There are a number of errors that "break through" even if you have an error page defined. E.g. when you drag a control onto itself. Security seems another area. All of them are stuff you should handle in development. I haven't seen errors that "typically" happen (true runtime after development completed and tested type of errors) escaping a custom error page. Other than that follow Declan's advice.

I had an issue like this also where my error page was not being displayed and the error 500 page would display instead.
What I discovered is that there was a problem in my error page also and the renderer therefore can't display the error for the original page and you get the server default error page instead.
The best way to check if this is the cause of your particular issue is to start with a simple error page, no theme, no ssjs libraries, no ssjs code on the page etc, just a blank xpage with some static text to indicate that it is the error page.
Once you can confirm that this is the possible cause of the error 500 then you can start building up that error page and add in the dynamic stuff bit by bit till it is the way you need it.

Dmytro Pastovenskyi has a good article http://dpastov.blogspot.com/2012/01/error-pages-in-domino.html about error pages in Domino.
To be on the safe side I have a static html page saying "An error occured". This page is referenced by the HTTPMultiErrorPage setting in the notes.ini on your server.
Then there is a "HTTP response headers" rule addressing special error codes.
The main problem still is, that these are global settings. So there is no easy way to catch all errors specially for your application. But a least the user don't get this annoying white error page.

I have had similar issues with this. Error messages bubbling up from some underlying fault that overrides the defined error page for the application. This is not a nice behavior (from a user perspective) and makes you feel a bit naked. I do understand that it's hard for the application to trap those - but there should at least be a way to customize that message - The default error 500 page is not very useful for a normal user anyway...
The only(?) way to try to avoid that your code throws such error (ssjs/java) is to (as Tim Tripcony already mentioned) always use try/catch statements around the code (as you already know :))
getDocumentByUNID() is a "good" example of a method that will cause the ugly (but standard) error 500 page to be displayed instead of the defined one in the app.
As for any other error types (system/security and such) - I don't think it's possible to redirect those to the (by the user) invoked applications error page because they are not invoked from the application but rather before the application is invoked (I hope I'm wrong).

Make a new XPage called error.xsp (for example). Put there some basic info that something went wrong, apologize for that fact and provide few links how to continue with the work (even though his/her data may be lost forever - history.go(-1) usually does not resolve the problem). In the background you can log the error (usage of OpenLog recommended).
Open Application Properties, XPages tab. Uncheck Display XPages runtime error page. In the combo Error page select your page (error).

Related

error 500 http web server: command not handled exception

I think this topic a lot of ppl post it already. I also look for lot of thread in stack overflow and some ibm page. They do give some comment of how to solve this problem. But i still facing the same problem, it still give this error.
Case start :
Actually one of my customer, they have facing this error during running on webpages and also notes ~
error 500 http web server: command not handled exception
Action taken but not solve:
The user id signing/creating the XPages allowed to run XPages in the
server document?
Do project clean, build automatically on designer
Do testing on creating new xpages page with simple lable " hello world" , this one can run successfully only.
Try to reload the http server by
tell http quit
load http
After do this the problem still same give the same error. May i know got any other way to solve it?
"Unresolved compilation errors: java.lang.String" points to a failed install as here. A class in java.lang or java.util should always be resolved. Ensure all services and any processes for Notes / Domino are stopped before the relevant install, jar files can get locked once used. Xpages can't load, Error 500; java.util cannot be resolved
Switch on "Display XPage runtime error page" in application's XSP Properties then you'll see a detailed error message which probably will lead you to the issue:
I frequently get this error when there is a mismatch/problem with access rights or the user login has expired and the app/database doesn't redirect to the login page. I suggest you double check the security basics first. (Might also explain why the app works locally, but not on the server).

Getting 409 error on form submit

So am getting a 409 Conflict with Failed to load resource error. Happens when i click on a form submit of a generic Java web application.
On click of the button there is no application log shows up, just the following error shows up and the process ends. This log is from browser console.
What are the possibilities for such an issue? Any help/suggestion will be really helpful.Help on internet was not much helpful.
Interestingly this is very intermediate i.e. it happens for a device and the next time you won't see it, comes back from grave again in few hrs or so.
Let me start by saying that I have not received this error, but based on your problem statement, it seems you could be having trouble with a file lock on your server. If you are attempting to call a resource that is loaded in another tool like an IDE, then it is possible the file is locked and the server is raising this error.
You may only receive this error if your server is in development mode vs production mode. Production mode will cache the file and not result in a conflict.
Here is a link that partially explains the problem.
HTTP Error 409 Conflict
Hope this helps!!

Sharepoint 2010 sends error 404 once per user after deployment or application pool restart

We have a big SharePoint-Project we installed on different servers. Whenever we deploy any feature/webpart the first access of ANY page (including Backend Pages like "ManageFeatures.aspx") throws a 404 Error.
This happens once for every user
I included a httphandler (IHttpModule) to catch those errors to get more information. In that handler I found out that while this error is thrown SPContext.Current is null.
When I call that page a second time the 404 is gone and the page is shown correctly. This is not a sporadic error but happens every time we deploy something.
Any clue what causes this behavior and how to avoid this?
(We got the error on all of our 10 machines)
Try to represent this error with default master-page.

Spring Security - Weird errors

All,
I am trying to add Spring Security(3.0.7) to my web application(Spring 3.0.6, Tiles 2.2). The default <form-login/> works as expected, but I can't create a custom one that does. Some issues encountered:
Every time a user clicks on the login link, the login page gets called twice
The UserDetailsService throws an Exception if the user doesn't exist, but the exception never gets picked up anywhere and used. This causes the <form-login/> to reroute to the login-page instead of the authentication-failure-url
I never see error messages when logging in with a bad username (This may be due to the previous issue mentioned above)
After a successful login, sometimes it will open to the correct page, other times it will randomly open up a javascript file that was being referenced inside the page.
I've followed all the tutorials out there and cannot come up with anything working. Does anyone happen to know the class responsible for creating the default login? Perhaps I can look at the source code and mimic what they have.
Has anyone experienced weird behavior like this?
I figured out 2 of my issues. I'm posting them in case anyone else has the same thing happen.
For #1/#4: The site was using tiles, and a default html header block was used throughout the site.
<html>
<head>
<script src="foo.js" type="text/javascript">
</head>
The configuration explicilty blocked this javascript file for users who were not logged in.
<intercept-url pattern="foo.js" access="isAuthenticated()"/>
So when a user came to the home page, the site would load except for foo.js. Since the methods in foo.js never get called before logging in, everything seemed to work fine.
However when someone tried to log in, Spring Security saw foo.js as the first protected page to show, and automatically opened it up.
This also caused the login page to be called twice. Once for the actual login link, and once for the foo.js file.

IIS 7 500 Error Handling situation

I am on IIS 7 with a Classic ASP application using Server.GetLastError() and i added this script that writes the error details to a database as a custom '500.100' error in IIS to execute this URL. So far it's been working on most situations when there is an error in the application. However, I am noticing in the IIS log that many people are getting ASP_0147 | Internal Server Error with a 500 error and no further explanation.
I am trying to catch this error showing up in the IIS Log using the method explained above, however, these errors are not being caught (written to database) using the application i made, whereas other types of errors are being caught, but the only errors that are being caught using the script/database i made, already show up with the entire error details in the IIS log.
So the question is, how can i catch the errors still happening in the IIS Log in the database using custom errors? because the method i'm using obviously isn't catching all the errors that show in the IIS Log, only the ones with an explanation being displayed in the log. Or, if I change the Error 'Feature Settings' to 'Detailed Errors' (because now its set on, Detailed only for Local Requests) will it show up in the IIS log, etc? Why am i only seeing 500 error in the IIS Log on certain things, but not on others? Thanks.
This could be an application stall.
If the server gets a lot of requests on the same time, causing the server to "get busy", it stalls some of the requests and possibly denying them. This could give a false-positive 500 error with the error-description (0x0).

Resources