You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bridges-dev@portals.apache.org by "Joachim Müller (JIRA)" <br...@portals.apache.org> on 2008/09/22 12:10:44 UTC

[jira] Created: (PB-86) Configure StrutsPortlet error output (disable stack trace for security reason)

Configure StrutsPortlet error output (disable stack trace for security reason)
------------------------------------------------------------------------------

                 Key: PB-86
                 URL: https://issues.apache.org/jira/browse/PB-86
             Project: Portals Bridges
          Issue Type: Improvement
          Components: struts
    Affects Versions: 1.0.3, 1.0.4
            Reporter: Joachim Müller
             Fix For: 1.0.3, 1.0.4
         Attachments: patch_PB-86.diff

Currently the StrutsPortlet always renders the full stack trace into the portlet when an error occurs. This may be critical concerning security issues.
With the supplied patch the error message can be loaded via resource bundle (per portlet ). The message can contain place holders which will be replaced by specific error data.

Example:
- specify portlet resources in portlet xml:
   <resource-bundle>JPetstorePortletResources</resource-bundle>
- specify error message inside bundle:

<code>
# Message to be rendered in HTML when unhandled ERROR in StrutsPortlet occured (exception).
# {ErrorCode} = will be replaced by StrutsPortletErrorContext.getErrorCode (blank if not set)
# {ErrorMessage} = will be replaced by StrutsPortletErrorContext.getErrorMessage (blank if not set)
# {Exception.Message} = will be replaced by StrutsPortletErrorContext.getError.getMessage -> e.g. when ServletException (blank if not set)
# {Exception.Class.Name} = will be replaced by StrutsPortletErrorContext.getError.getClass.getName -> e.g. when ServletException (blank if not set)
# {Exception.StackTrace} = will be replaced by StrutsPortletErrorContext.getError.getStackTrace -> e.g. when ServletException (blank if not set)
# former default in code:
strutsportlet.error.output=<hr/><h2>Error</h2><table border='1'><tr><td valign='top'><b>Error Code</b></td><td>{ErrorCode}</td></tr><tr><td valign='top'><b>Error Message</b></td><td>{ErrorMessage}</td></tr><tr><td valign='top'><b>Error</b></td><td>{Exception.Message}</td></tr><tr><td valign='top'><b>Error Type</b></td><td>{Exception.Class.Name}</td></tr><tr><td valign='top'><b>Stacktrace</b></td><td>{Exception.StackTrace}</td></tr></table>
<code>

If no bundle or message is specified, the patch reduces the default output to "Error" without rendering specific error data (stack trace ...).
CAUTION: The bundle is only supplied for the JPETSTORE Portlet. All other Struts Portlet do output only "Error" when rendering an error. This behavior can be changed in the StrutsPortlet.java (commented).

The default configuration in the bundle supplied is to output the error information as it was before.




-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: bridges-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: bridges-dev-help@portals.apache.org

[jira] Updated: (PB-86) Configure StrutsPortlet error output (disable stack trace for security reason)

Posted by "Joachim Müller (JIRA)" <br...@portals.apache.org>.

     [ https://issues.apache.org/jira/browse/PB-86?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joachim Müller updated PB-86:
-----------------------------

    Attachment: patch_PB-86.diff

> Configure StrutsPortlet error output (disable stack trace for security reason)
> ------------------------------------------------------------------------------
>
>                 Key: PB-86
>                 URL: https://issues.apache.org/jira/browse/PB-86
>             Project: Portals Bridges
>          Issue Type: Improvement
>          Components: struts
>    Affects Versions: 1.0.3, 1.0.4
>            Reporter: Joachim Müller
>             Fix For: 1.0.3, 1.0.4
>
>         Attachments: patch_PB-86.diff
>
>
> Currently the StrutsPortlet always renders the full stack trace into the portlet when an error occurs. This may be critical concerning security issues.
> With the supplied patch the error message can be loaded via resource bundle (per portlet ). The message can contain place holders which will be replaced by specific error data.
> Example:
> - specify portlet resources in portlet xml:
>    <resource-bundle>JPetstorePortletResources</resource-bundle>
> - specify error message inside bundle:
> <code>
> # Message to be rendered in HTML when unhandled ERROR in StrutsPortlet occured (exception).
> # {ErrorCode} = will be replaced by StrutsPortletErrorContext.getErrorCode (blank if not set)
> # {ErrorMessage} = will be replaced by StrutsPortletErrorContext.getErrorMessage (blank if not set)
> # {Exception.Message} = will be replaced by StrutsPortletErrorContext.getError.getMessage -> e.g. when ServletException (blank if not set)
> # {Exception.Class.Name} = will be replaced by StrutsPortletErrorContext.getError.getClass.getName -> e.g. when ServletException (blank if not set)
> # {Exception.StackTrace} = will be replaced by StrutsPortletErrorContext.getError.getStackTrace -> e.g. when ServletException (blank if not set)
> # former default in code:
> strutsportlet.error.output=<hr/><h2>Error</h2><table border='1'><tr><td valign='top'><b>Error Code</b></td><td>{ErrorCode}</td></tr><tr><td valign='top'><b>Error Message</b></td><td>{ErrorMessage}</td></tr><tr><td valign='top'><b>Error</b></td><td>{Exception.Message}</td></tr><tr><td valign='top'><b>Error Type</b></td><td>{Exception.Class.Name}</td></tr><tr><td valign='top'><b>Stacktrace</b></td><td>{Exception.StackTrace}</td></tr></table>
> <code>
> If no bundle or message is specified, the patch reduces the default output to "Error" without rendering specific error data (stack trace ...).
> CAUTION: The bundle is only supplied for the JPETSTORE Portlet. All other Struts Portlet do output only "Error" when rendering an error. This behavior can be changed in the StrutsPortlet.java (commented).
> The default configuration in the bundle supplied is to output the error information as it was before.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: bridges-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: bridges-dev-help@portals.apache.org

[jira] Updated: (PB-86) Configure StrutsPortlet error output (disable stack trace for security reason)

Posted by "Ate Douma (JIRA)" <br...@portals.apache.org>.

     [ https://issues.apache.org/jira/browse/PB-86?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ate Douma updated PB-86:
------------------------

    Fix Version/s:     (was: 1.0.4)
                       (was: 1.0.3)
                   1.0.5

> Configure StrutsPortlet error output (disable stack trace for security reason)
> ------------------------------------------------------------------------------
>
>                 Key: PB-86
>                 URL: https://issues.apache.org/jira/browse/PB-86
>             Project: Portals Bridges
>          Issue Type: Improvement
>          Components: struts
>    Affects Versions: 1.0.3, 1.0.4
>            Reporter: Joachim Müller
>            Assignee: Ate Douma
>             Fix For: 1.0.5
>
>         Attachments: patch_PB-86.diff
>
>
> Currently the StrutsPortlet always renders the full stack trace into the portlet when an error occurs. This may be critical concerning security issues.
> With the supplied patch the error message can be loaded via resource bundle (per portlet ). The message can contain place holders which will be replaced by specific error data.
> Example:
> - specify portlet resources in portlet xml:
>    <resource-bundle>JPetstorePortletResources</resource-bundle>
> - specify error message inside bundle:
> <code>
> # Message to be rendered in HTML when unhandled ERROR in StrutsPortlet occured (exception).
> # {ErrorCode} = will be replaced by StrutsPortletErrorContext.getErrorCode (blank if not set)
> # {ErrorMessage} = will be replaced by StrutsPortletErrorContext.getErrorMessage (blank if not set)
> # {Exception.Message} = will be replaced by StrutsPortletErrorContext.getError.getMessage -> e.g. when ServletException (blank if not set)
> # {Exception.Class.Name} = will be replaced by StrutsPortletErrorContext.getError.getClass.getName -> e.g. when ServletException (blank if not set)
> # {Exception.StackTrace} = will be replaced by StrutsPortletErrorContext.getError.getStackTrace -> e.g. when ServletException (blank if not set)
> # former default in code:
> strutsportlet.error.output=<hr/><h2>Error</h2><table border='1'><tr><td valign='top'><b>Error Code</b></td><td>{ErrorCode}</td></tr><tr><td valign='top'><b>Error Message</b></td><td>{ErrorMessage}</td></tr><tr><td valign='top'><b>Error</b></td><td>{Exception.Message}</td></tr><tr><td valign='top'><b>Error Type</b></td><td>{Exception.Class.Name}</td></tr><tr><td valign='top'><b>Stacktrace</b></td><td>{Exception.StackTrace}</td></tr></table>
> <code>
> If no bundle or message is specified, the patch reduces the default output to "Error" without rendering specific error data (stack trace ...).
> CAUTION: The bundle is only supplied for the JPETSTORE Portlet. All other Struts Portlet do output only "Error" when rendering an error. This behavior can be changed in the StrutsPortlet.java (commented).
> The default configuration in the bundle supplied is to output the error information as it was before.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: bridges-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: bridges-dev-help@portals.apache.org

[jira] Assigned: (PB-86) Configure StrutsPortlet error output (disable stack trace for security reason)

Posted by "Ate Douma (JIRA)" <br...@portals.apache.org>.

     [ https://issues.apache.org/jira/browse/PB-86?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ate Douma reassigned PB-86:
---------------------------

    Assignee: Ate Douma

> Configure StrutsPortlet error output (disable stack trace for security reason)
> ------------------------------------------------------------------------------
>
>                 Key: PB-86
>                 URL: https://issues.apache.org/jira/browse/PB-86
>             Project: Portals Bridges
>          Issue Type: Improvement
>          Components: struts
>    Affects Versions: 1.0.3, 1.0.4
>            Reporter: Joachim Müller
>            Assignee: Ate Douma
>             Fix For: 1.0.3, 1.0.4
>
>         Attachments: patch_PB-86.diff
>
>
> Currently the StrutsPortlet always renders the full stack trace into the portlet when an error occurs. This may be critical concerning security issues.
> With the supplied patch the error message can be loaded via resource bundle (per portlet ). The message can contain place holders which will be replaced by specific error data.
> Example:
> - specify portlet resources in portlet xml:
>    <resource-bundle>JPetstorePortletResources</resource-bundle>
> - specify error message inside bundle:
> <code>
> # Message to be rendered in HTML when unhandled ERROR in StrutsPortlet occured (exception).
> # {ErrorCode} = will be replaced by StrutsPortletErrorContext.getErrorCode (blank if not set)
> # {ErrorMessage} = will be replaced by StrutsPortletErrorContext.getErrorMessage (blank if not set)
> # {Exception.Message} = will be replaced by StrutsPortletErrorContext.getError.getMessage -> e.g. when ServletException (blank if not set)
> # {Exception.Class.Name} = will be replaced by StrutsPortletErrorContext.getError.getClass.getName -> e.g. when ServletException (blank if not set)
> # {Exception.StackTrace} = will be replaced by StrutsPortletErrorContext.getError.getStackTrace -> e.g. when ServletException (blank if not set)
> # former default in code:
> strutsportlet.error.output=<hr/><h2>Error</h2><table border='1'><tr><td valign='top'><b>Error Code</b></td><td>{ErrorCode}</td></tr><tr><td valign='top'><b>Error Message</b></td><td>{ErrorMessage}</td></tr><tr><td valign='top'><b>Error</b></td><td>{Exception.Message}</td></tr><tr><td valign='top'><b>Error Type</b></td><td>{Exception.Class.Name}</td></tr><tr><td valign='top'><b>Stacktrace</b></td><td>{Exception.StackTrace}</td></tr></table>
> <code>
> If no bundle or message is specified, the patch reduces the default output to "Error" without rendering specific error data (stack trace ...).
> CAUTION: The bundle is only supplied for the JPETSTORE Portlet. All other Struts Portlet do output only "Error" when rendering an error. This behavior can be changed in the StrutsPortlet.java (commented).
> The default configuration in the bundle supplied is to output the error information as it was before.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: bridges-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: bridges-dev-help@portals.apache.org