Currently, whenever we get some kind of internal server error, a default JBoss 500 page will be shown to the user, which includes a full stack trace.
This can be considered a security vulnerability by some since it leaks implementation details about what went wrong.
It would be better if instead the user would be landed on a customer page informing him/her that an internal error occurred, and pointing him to administrator of the EJBCA instance.
After doing some searching around, it seems that the common practice to do away with this is to define customer error pages in web.xml (search for error-page tag).
We could also have some other custom pages for errors, like 400, 404 etc. If I understood it right, the only small issue might be the error pages and settings would need to be present in every single war/web.xml. But build script could take care of deduplication somehow.
As an additional feature, perhaps this behaviour could be configurable (for printing stack traces) - we already have an option in web.properties for this that could be reused/propagated for these custom error pages.