Information
Debugging information, such as that found in call stacks, often contains sensitive information that may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced.
Solution
Perform the following to prevent Tomcat from providing debug information to the requestor during runtime errors:
1. Create a web page that contains the logic or message you wish to invoke when
encountering a runtime error. For example purposes, assume this page is located at
/error.jsp.
2. Add a child element, <error-page>, to the <web-app>element, in the
$CATALINA_HOME/conf/web.xml file.
3. Add a child element, <exception-type>, to the <error-page> element. Set the value of
the <exception-type> element to java.lang.Throwable.
4. Add a child element, <location>, to the <error-page> element. Set the value of the
<location> element to the location of page created in #1.
The resulting entry will look as follows:
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error.jsp</location>
</error-page>