[jira] Updated: (PB-86) Configure StrutsPortlet error output (disable stack trace for security reason)

Mon, 22 Sep 2008 03:11:11 -0700 

     [ 
https://issues.apache.org/jira/browse/PB-86?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Joachim Müller updated PB-86:
-----------------------------

    Attachment: patch_PB-86.diff

> Configure StrutsPortlet error output (disable stack trace for security reason)
> ------------------------------------------------------------------------------
>
>                 Key: PB-86
>                 URL: https://issues.apache.org/jira/browse/PB-86
>             Project: Portals Bridges
>          Issue Type: Improvement
>          Components: struts
>    Affects Versions: 1.0.3, 1.0.4
>            Reporter: Joachim Müller
>             Fix For: 1.0.3, 1.0.4
>
>         Attachments: patch_PB-86.diff
>
>
> Currently the StrutsPortlet always renders the full stack trace into the 
> portlet when an error occurs. This may be critical concerning security issues.
> With the supplied patch the error message can be loaded via resource bundle 
> (per portlet ). The message can contain place holders which will be replaced 
> by specific error data.
> Example:
> - specify portlet resources in portlet xml:
>    <resource-bundle>JPetstorePortletResources</resource-bundle>
> - specify error message inside bundle:
> <code>
> # Message to be rendered in HTML when unhandled ERROR in StrutsPortlet 
> occured (exception).
> # {ErrorCode} = will be replaced by StrutsPortletErrorContext.getErrorCode 
> (blank if not set)
> # {ErrorMessage} = will be replaced by 
> StrutsPortletErrorContext.getErrorMessage (blank if not set)
> # {Exception.Message} = will be replaced by 
> StrutsPortletErrorContext.getError.getMessage -> e.g. when ServletException 
> (blank if not set)
> # {Exception.Class.Name} = will be replaced by 
> StrutsPortletErrorContext.getError.getClass.getName -> e.g. when 
> ServletException (blank if not set)
> # {Exception.StackTrace} = will be replaced by 
> StrutsPortletErrorContext.getError.getStackTrace -> e.g. when 
> ServletException (blank if not set)
> # former default in code:
> strutsportlet.error.output=<hr/><h2>Error</h2><table border='1'><tr><td 
> valign='top'><b>Error Code</b></td><td>{ErrorCode}</td></tr><tr><td 
> valign='top'><b>Error Message</b></td><td>{ErrorMessage}</td></tr><tr><td 
> valign='top'><b>Error</b></td><td>{Exception.Message}</td></tr><tr><td 
> valign='top'><b>Error 
> Type</b></td><td>{Exception.Class.Name}</td></tr><tr><td 
> valign='top'><b>Stacktrace</b></td><td>{Exception.StackTrace}</td></tr></table>
> <code>
> If no bundle or message is specified, the patch reduces the default output to 
> "Error" without rendering specific error data (stack trace ...).
> CAUTION: The bundle is only supplied for the JPETSTORE Portlet. All other 
> Struts Portlet do output only "Error" when rendering an error. This behavior 
> can be changed in the StrutsPortlet.java (commented).
> The default configuration in the bundle supplied is to output the error 
> information as it was before.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to