Re: Disable stack traces on HTTP Transport

Tue, 21 May 2024 01:40:32 -0700 

Hi Colm,

Thanks ! I will work on this :)

Regards
JB

On Mon, May 20, 2024 at 1:08 PM Colm O hEigeartaigh <cohei...@apache.org> wrote:
>
> Thanks JB, here it is: https://issues.apache.org/jira/browse/AMQ-9503
>
> Colm.
>
> On Fri, May 17, 2024 at 5:22 PM Jean-Baptiste Onofré <j...@nanthrax.net> 
> wrote:
> >
> > Hi Colm
> >
> > Let me check but I don't think so.
> >
> > Can you please create a Jira ? I will fix that.
> >
> > Thanks !
> > Regards
> > JB
> >
> > On Fri, May 17, 2024 at 12:39 PM Colm O hEigeartaigh
> > <cohei...@apache.org> wrote:
> > >
> > > Hi,
> > >
> > > Is there a way to disable stack traces being returned with the HTTP
> > > Transport. Using 5.18.x I configure AMQ with  <transportConnector
> > > name="http" uri="http://localhost:12345"/
> > >
> > > Then with curl if I post some XML data I get:
> > >
> > > <html>
> > > <head>
> > > <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
> > > <title>Error 500
> > > com.thoughtworks.xstream.security.ForbiddenClassException:
> > > jdk.nashorn.internal.objects.NativeString</title>
> > > </head>
> > > <body><h2>HTTP ERROR 500
> > > com.thoughtworks.xstream.security.ForbiddenClassException:
> > > jdk.nashorn.internal.objects.NativeString</h2>
> > > <table>
> > > <tr><th>URI:</th><td>/</td></tr>
> > > <tr><th>STATUS:</th><td>500</td></tr>
> > > <tr><th>MESSAGE:</th><td>com.thoughtworks.xstream.security.ForbiddenClassException:
> > > jdk.nashorn.internal.objects.NativeString</td></tr>
> > > <tr><th>SERVLET:</th><td>org.apache.activemq.transport.http.HttpTunnelServlet-1fdca564</td></tr>
> > > <tr><th>CAUSED 
> > > BY:</th><td>com.thoughtworks.xstream.security.ForbiddenClassException:
> > > jdk.nashorn.internal.objects.NativeString</td></tr>
> > > </table>
> > > <h3>Caused 
> > > by:</h3><pre>com.thoughtworks.xstream.security.ForbiddenClassException:
> > > jdk.nashorn.internal.objects.NativeString
> > >     at 
> > > com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
> > >
> > > etc.
> > >
> > > It's a bad practice from a security point of view to return detailed
> > > error messages to clients. I didn't see an obvious way of turning this
> > > off though.
> > >
> > > Colm.

Reply via email to