I’m using CommandBox to serve up an API built with Taffy for development. One of the things we use are custom status text messages in the header. For example instead of 403 Forbidden we might do 403 security.role.invalid (contrived example, but you get the idea).
Adam has a fix for Tomcat posted on the Taffy.io docs site at http://docs.taffy.io/3.0.0/#Custom-HTTP-Status-Messages
Essentially you add a flag to the catalina.properties file:
org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true
Does anyone know if there is a similar setting for Undertow? Or is is possible to plug a different servlet container into CommandBox? My Google-foo didn’t turn up anything and I’m completely unfamiliar with Undertow as a servlet container.
Thanks
Dan
Since I’m not familiar with Taffy, can you provide a sample of the CFML code that’s not working and what you expect from it?
Thanks!
~Brad
ColdBox Platform Evangelist
Ortus Solutions, Corp
E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
So in Taffy, I can send a response back with a code and a custom message:
return newRepresentation().noData().withStatus( 403, ‘security.role.invalid’ );
That should make a response header show up at my browser:
403 security.role.invalid
However, without that Tomcat setting I mentioned being applied, Tomcat returns this response header to the browser:
403 Forbidden
I did a quick test with this code and I can see what you mean:
The HTTP headers of the response come back as:
403 Forbidden
I did a quick Google for Undertow and Wildfly but couldn’t find anything at all. I’ve pinged Denny and I’ll see what he says.
Thanks!
~Brad
ColdBox Platform Evangelist
Ortus Solutions, Corp
E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
Apparently folks should be using sendError instead of setStaus (which is
what cfheader seems to use) as setStatus just takes an int now, vs. an
int and a message, at least in Undertow's implementation.
Main takeaway appears to be "don't use custom status text", or if you
do, be sure you don't expose an XSS hole?
Maybe for Taffy see what happens when you do something like:
getPageContext().getResponse().sendError(code,message);
-Den
So the answer seems to be "no, there's no equivalent".
Suppose tomorrow I'll set up a normal Tomcat instance where I can better control what the servlet container does and run things that way instead of using CommandBox from now on.
Dan
Whatever is clever man. It's been deprecated since 2.1, and everything
modern is targeting the 3.0 spec (still only deprecated, ha!). Relates
to standards, and different things having to work together, etc..
Undertow is really 'bout it 'bout it regarding standards, and generally
has good reasoning for it.
Tomcat isn't exactly a standards-based container, which is fine, just
fine, as being special is what makes things special. Out of curiosity,
why not set the body content? Did those arguments against setting
different status texts not sway you? I'll toss another angle for it out
here:
but note that I'm just wondering really, w/slight lean towards the body.
FWIW, it's pretty easy to add a ResponseWrapper that might or might not
be able to do what you want. I dig options, and we've got *mad* control
of this baby. Feel free to file a ticket, or better yet a bounty-- I
tossed that info out there in case you were concerned about your code
running anywhere, but if this is one more reason for someone to use
CommandBox, adding an option seems fine to me (he says, as he burns in
standards hell... and gets wings in pragmatic heaven! ;]).
-Den
It's mostly a case of "we didn't know any better when we started this thing" and we're too far down the rabbit hole with a bunch of work in front of us to go back and change it all right now. Maybe at some point we'll get the chance to do that but you know how those wishes usually go.
FWIW, I tried
getPageContext().getResponse().sendError(403,‘Brad Wood’)
but it still didn’t work.
Thanks!
~Brad
ColdBox Platform Evangelist
Ortus Solutions, Corp
E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com