Starting with Spring Boot 2.3, the default error page no longer contains detailed error information

Overview

--From Spring Boot 2.3, the default error response (error page HTML and error JSON) no longer contains error messages or binding errors. This is a measure to prevent unintended error information from being returned in the response. --By setting the property value, you can control whether error information is output or not.

Items output to error page HTML and error JSON

[DefaultErrorAttributes \ (Spring Boot 2 \ .3 \ .0 \ .RELEASE API )](https://docs.spring.io/spring-boot/docs/2.3.0.RELEASE/api/org/springframework/boot Items to be output are described in /web/servlet/error/DefaultErrorAttributes.html) etc.

--Timestamp: Time when the error was extracted --status: Status code --error: Reason for error --exception: Root exception class name --message: Exception message --errors: Multiple ObjectErrors (binding-errors) set in BindingResult --trace: Exception stack trace --path: URL path when the exception occurred

Setting properties

The presence or absence of output can be controlled by setting the values of server.error.include-message (message) and server.error.include-binding-errors in application.properties.

Spring Boot 2.3 Release Notes · spring-projects/spring-boot Wiki · GitHub

Changes to the Default Error Page’s Content The error message and any binding errors are no longer included in the default error page by default. This reduces the risk of leaking information to a client. server.error.include-message and server.error.include-binding-errors can be used to control the inclusion of the message and binding errors respectively. Supported values are always, on-param, and never.

--server.error.include-message (controls the output of message items) --server.error.include-binding-errors (controls the output of errors items) --server.error.include-stacktrace (controls the output of trace items) --server.error.include-exception (controls the output of exception items)

Error output example

Here are some examples of error responses with some setting patterns. The HTML and JSON listed are formatted for readability.

Spring Boot 2.2

If you do not specify anything in application.properties. In Spring Boot 2.2, message and errors are output even if nothing is specified.

JSON

{
  "timestamp": "2020-07-19T06:14:27.622+0000",
  "status": 400,
  "error": "Bad Request",
  "errors": [
    {
      "codes": null,
      "arguments": null,
      "defaultMessage": "Artificially generated foo error",
      "objectName": "fooError",
      "code": null
    },
    {
      "codes": null,
      "arguments": null,
      "defaultMessage": "Artificially generated bar error",
      "objectName": "barError",
      "code": null
    }
  ],
  "message": "Validation failed for object='fooBarData'. Error count: 2",
  "path": "/json"
}

HTML

<html><body>
<h1>Whitelabel Error Page</h1>
<p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p>
<div id='created'>Sun Jul 19 15:14:30 JST 2020</div>
<div>There was an unexpected error (type=Bad Request, status=400).</div>
<div>Validation failed for object=&#39;fooBarData&#39;. Error count: 2</div>
</body></html>

Spring Boot 2.3

If you do not specify anything in application.properties. The setting is such that detailed error information is not output.

JSON

{
  "timestamp": "2020-07-19T06:13:46.546+00:00",
  "status": 400,
  "error": "Bad Request",
  "message": "",
  "path": "/json"
}

HTML

<html><body>
<h1>Whitelabel Error Page</h1>
<p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p>
<div id='created'>Sun Jul 19 15:13:48 JST 2020</div>
<div>There was an unexpected error (type=Bad Request, status=400).</div>
<div></div>
</body></html>

Spring Boot 2.3 + Specify never, false in property setting

When you specify the following in application.properties. The setting is such that detailed error information is not output.

server.error.include-message=never
server.error.include-binding-errors=never
server.error.include-stacktrace=never
server.error.include-exception=false

JSON

{
  "timestamp": "2020-07-19T06:13:18.720+00:00",
  "status": 400,
  "error": "Bad Request",
  "message": "",
  "path": "/json"
}

HTML

<html><body>
<h1>Whitelabel Error Page</h1>
<p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p>
<div id='created'>Sun Jul 19 15:13:22 JST 2020</div>
<div>There was an unexpected error (type=Bad Request, status=400).</div>
<div></div>
</body></html>

Spring Boot 2.3 + always, true specified in property setting

When you specify the following in application.properties. It is set to output detailed error information.

server.error.include-message=always
server.error.include-binding-errors=always
server.error.include-stacktrace=always
server.error.include-exception=true

JSON

{
  "timestamp": "2020-07-19T06:11:54.165+00:00",
  "status": 400,
  "error": "Bad Request",
  "exception": "org.springframework.validation.BindException",
  "trace": "org.springframework.validation.BindException: org.springframework.validation.BeanPropertyBindingResult: 2 errors\n
            Error in object 'fooError': codes []; arguments []; default message [Artificially generated foo error]\n
            Error in object 'barError': codes []; arguments []; default message [Artificially generated bar error]\n\t
            at example.FooBarRestController.json(FooBarRestController.java:20)
            (Omission)
            java.base/java.lang.Thread.run(Thread.java:832)\n",
  "message": "Validation failed for object='fooBarData'. Error count: 2",
  "errors": [
    {
      "codes": null,
      "arguments": null,
      "defaultMessage": "Artificially generated foo error",
      "objectName": "fooError",
      "code": null
    },
    {
      "codes": null,
      "arguments": null,
      "defaultMessage": "Artificially generated bar error",
      "objectName": "barError",
      "code": null
    }
  ],
  "path": "/json"
}

HTML

<html><body>
<h1>Whitelabel Error Page</h1>
<p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p>
<div id='created'>Sun Jul 19 15:11:48 JST 2020</div>
<div>There was an unexpected error (type=Bad Request, status=400).</div>
<div>Validation failed for object=&#39;fooBarData&#39;. Error count: 2</div>
<div style='white-space:pre-wrap;'>
org.springframework.validation.BindException: org.springframework.validation.BeanPropertyBindingResult: 2 errors
Error in object &#39;fooError&#39;: codes []; arguments []; default message [Artificially generated foo error]
Error in object &#39;barError&#39;: codes []; arguments []; default message [Artificially generated bar error]
	at example.FooBarController.page(FooBarController.java:20)
(Omission)
	at java.base/java.lang.Thread.run(Thread.java:832)
</div>
</body></html>

Where error information is constructed in Spring Boot 2.3 source code

The DefaultErrorAttributes class builds error information to be output in JSON or HTML.

spring-boot/DefaultErrorAttributes.java at v2.3.0.RELEASE · spring-projects/spring-boot · GitHub

public Map<String, Object> getErrorAttributes(WebRequest webRequest, boolean includeStackTrace) {
  Map<String, Object> errorAttributes = new LinkedHashMap<>();
  errorAttributes.put("timestamp", new Date());
  addStatus(errorAttributes, webRequest);
  addErrorDetails(errorAttributes, webRequest, includeStackTrace);
  addPath(errorAttributes, webRequest);
  return errorAttributes;
}

You are building the HTML for the error page with the ErrorMvcAutoConfiguration class.

spring-boot/ErrorMvcAutoConfiguration.java at v2.3.0.RELEASE · spring-projects/spring-boot · GitHub

StringBuilder builder = new StringBuilder();
Date timestamp = (Date) model.get("timestamp");
Object message = model.get("message");
Object trace = model.get("trace");
if (response.getContentType() == null) {
  response.setContentType(getContentType());
}
builder.append("<html><body><h1>Whitelabel Error Page</h1>").append(
    "<p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p>")
    .append("<div id='created'>").append(timestamp).append("</div>")
    .append("<div>There was an unexpected error (type=").append(htmlEscape(model.get("error")))
    .append(", status=").append(htmlEscape(model.get("status"))).append(").</div>");
if (message != null) {
  builder.append("<div>").append(htmlEscape(message)).append("</div>");
}
if (trace != null) {
  builder.append("<div style='white-space:pre-wrap;'>").append(htmlEscape(trace)).append("</div>");
}
builder.append("</body></html>");

Reference material

Recommended Posts

Starting with Spring Boot 2.3, the default error page no longer contains detailed error information
Spring Boot starting with copy
Spring Boot starting with Docker
I want to control the default error message of Spring Boot
Javaw.exe error when starting Spring Boot (STS)
Spring Boot Whitelabel Error Page and JSON Response
The story that the port can no longer be used in the Spring boot sample program
Spring Boot Whitelabel Error Page and JSON Response
[FCM] Implementation of message transmission using FCM + Spring boot
[Java / Spring Boot] Spring security ④ --Implementation of login process
[Java / Spring Boot] Spring security ⑤ --Implementation of logout processing
I want to control the default error message of Spring Boot
Unknown error in line 1 of pom.xml when using Spring Boot in Eclipse
Memorandum of understanding when Spring Boot 1.5.10 → Spring Boot 2.0.0
Spring Boot + PostgreSQL error resolution method
Going out of message (Spring boot)
[Spring Boot] Role of each class
Error in implementation when implementing Spring validation
WebMvcConfigurer Memorandum of Understanding for Spring Boot 2.0 (Spring 5)
Javaw.exe error when starting Spring Boot (STS)
Starting with Spring Boot 2.3, the default error page no longer contains detailed error information
[Java] [Spring Boot] Specify runtime profile --Spring Boot starting with NetBeans
Access the built-in h2db of spring boot with jdbcTemplate
[Spring Boot] Get user information with Rest API (beginner)
Customize REST API error response with Spring Boot (Part 2)
Customize REST API error response with Spring Boot (Part 1)
Download with Spring Boot
Change the injection target for each environment with Spring Boot 2
A story packed with the basics of Spring Boot (solved)
Try hitting the zip code search API with Spring Boot
Get error information using DefaultErrorAttributes and ErrorAttributeOptions in Spring Boot 2.3