[jira] Created: (PB-86) Configure StrutsPortlet error output (disable stack trace for security reason)

Mon, 22 Sep 2008 03:11:38 -0700 

Configure StrutsPortlet error output (disable stack trace for security reason)
------------------------------------------------------------------------------

                 Key: PB-86
                 URL: https://issues.apache.org/jira/browse/PB-86
             Project: Portals Bridges
          Issue Type: Improvement
          Components: struts
    Affects Versions: 1.0.3, 1.0.4
            Reporter: Joachim Müller
             Fix For: 1.0.3, 1.0.4
         Attachments: patch_PB-86.diff

Currently the StrutsPortlet always renders the full stack trace into the 
portlet when an error occurs. This may be critical concerning security issues.
With the supplied patch the error message can be loaded via resource bundle 
(per portlet ). The message can contain place holders which will be replaced by 
specific error data.

Example:
- specify portlet resources in portlet xml:
   <resource-bundle>JPetstorePortletResources</resource-bundle>
- specify error message inside bundle:

<code>
# Message to be rendered in HTML when unhandled ERROR in StrutsPortlet occured 
(exception).
# {ErrorCode} = will be replaced by StrutsPortletErrorContext.getErrorCode 
(blank if not set)
# {ErrorMessage} = will be replaced by 
StrutsPortletErrorContext.getErrorMessage (blank if not set)
# {Exception.Message} = will be replaced by 
StrutsPortletErrorContext.getError.getMessage -> e.g. when ServletException 
(blank if not set)
# {Exception.Class.Name} = will be replaced by 
StrutsPortletErrorContext.getError.getClass.getName -> e.g. when 
ServletException (blank if not set)
# {Exception.StackTrace} = will be replaced by 
StrutsPortletErrorContext.getError.getStackTrace -> e.g. when ServletException 
(blank if not set)
# former default in code:
strutsportlet.error.output=<hr/><h2>Error</h2><table border='1'><tr><td 
valign='top'><b>Error Code</b></td><td>{ErrorCode}</td></tr><tr><td 
valign='top'><b>Error Message</b></td><td>{ErrorMessage}</td></tr><tr><td 
valign='top'><b>Error</b></td><td>{Exception.Message}</td></tr><tr><td 
valign='top'><b>Error Type</b></td><td>{Exception.Class.Name}</td></tr><tr><td 
valign='top'><b>Stacktrace</b></td><td>{Exception.StackTrace}</td></tr></table>
<code>

If no bundle or message is specified, the patch reduces the default output to 
"Error" without rendering specific error data (stack trace ...).
CAUTION: The bundle is only supplied for the JPETSTORE Portlet. All other 
Struts Portlet do output only "Error" when rendering an error. This behavior 
can be changed in the StrutsPortlet.java (commented).

The default configuration in the bundle supplied is to output the error 
information as it was before.




-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to