You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bridges-dev@portals.apache.org by "Joachim Müller (JIRA)" <br...@portals.apache.org> on 2008/09/22 12:10:44 UTC
[jira] Updated: (PB-86) Configure StrutsPortlet error output
(disable stack trace for security reason)
[ https://issues.apache.org/jira/browse/PB-86?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joachim Müller updated PB-86:
-----------------------------
Attachment: patch_PB-86.diff
> Configure StrutsPortlet error output (disable stack trace for security reason)
> ------------------------------------------------------------------------------
>
> Key: PB-86
> URL: https://issues.apache.org/jira/browse/PB-86
> Project: Portals Bridges
> Issue Type: Improvement
> Components: struts
> Affects Versions: 1.0.3, 1.0.4
> Reporter: Joachim Müller
> Fix For: 1.0.3, 1.0.4
>
> Attachments: patch_PB-86.diff
>
>
> Currently the StrutsPortlet always renders the full stack trace into the portlet when an error occurs. This may be critical concerning security issues.
> With the supplied patch the error message can be loaded via resource bundle (per portlet ). The message can contain place holders which will be replaced by specific error data.
> Example:
> - specify portlet resources in portlet xml:
> <resource-bundle>JPetstorePortletResources</resource-bundle>
> - specify error message inside bundle:
> <code>
> # Message to be rendered in HTML when unhandled ERROR in StrutsPortlet occured (exception).
> # {ErrorCode} = will be replaced by StrutsPortletErrorContext.getErrorCode (blank if not set)
> # {ErrorMessage} = will be replaced by StrutsPortletErrorContext.getErrorMessage (blank if not set)
> # {Exception.Message} = will be replaced by StrutsPortletErrorContext.getError.getMessage -> e.g. when ServletException (blank if not set)
> # {Exception.Class.Name} = will be replaced by StrutsPortletErrorContext.getError.getClass.getName -> e.g. when ServletException (blank if not set)
> # {Exception.StackTrace} = will be replaced by StrutsPortletErrorContext.getError.getStackTrace -> e.g. when ServletException (blank if not set)
> # former default in code:
> strutsportlet.error.output=<hr/><h2>Error</h2><table border='1'><tr><td valign='top'><b>Error Code</b></td><td>{ErrorCode}</td></tr><tr><td valign='top'><b>Error Message</b></td><td>{ErrorMessage}</td></tr><tr><td valign='top'><b>Error</b></td><td>{Exception.Message}</td></tr><tr><td valign='top'><b>Error Type</b></td><td>{Exception.Class.Name}</td></tr><tr><td valign='top'><b>Stacktrace</b></td><td>{Exception.StackTrace}</td></tr></table>
> <code>
> If no bundle or message is specified, the patch reduces the default output to "Error" without rendering specific error data (stack trace ...).
> CAUTION: The bundle is only supplied for the JPETSTORE Portlet. All other Struts Portlet do output only "Error" when rendering an error. This behavior can be changed in the StrutsPortlet.java (commented).
> The default configuration in the bundle supplied is to output the error information as it was before.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: bridges-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: bridges-dev-help@portals.apache.org