[jira] [Comment Edited] (AMQ-9503) Disable stacktrace for HTTP Connector

Fri, 13 Jun 2025 05:30:24 -0700 


    [ 
https://issues.apache.org/jira/browse/AMQ-9503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17849661#comment-17849661
 ] 

Jean-Baptiste Onofré edited comment on AMQ-9503 at 6/13/25 12:29 PM:
---------------------------------------------------------------------

It's coming from xbean via the StackTraceElementConverter. We can disable this 
converter by default and enable the converter by configuration. It's used by 
the wireFormat in the HttpTunnelServlet.

I'm doing this change.


was (Author: jbonofre):
It's coming from xbeam via the StackTraceElementConverter. We can disable this 
converter by default and enable the converter by configuration. It's used by 
the wireFormat in the HttpTunnelServlet.

I'm doing this change.

> Disable stacktrace for HTTP Connector
> -------------------------------------
>
>                 Key: AMQ-9503
>                 URL: https://issues.apache.org/jira/browse/AMQ-9503
>             Project: ActiveMQ Classic
>          Issue Type: Task
>    Affects Versions: 5.18.4
>            Reporter: Colm O hEigeartaigh
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>             Fix For: 6.2.0, 6.1.7
>
>
>  
> The HTTP Connector is returning stack traces to clients, which is not a good 
> idea from a security point of view as it may leak internal information. 
> Please disable (at least by default)
>  
> To reproduce:
>  
> On 5.18.x I configure AMQ with  <transportConnector
> name="http" uri="[http://localhost:12345|http://localhost:12345/]"/
>  
> data.xml:
> {code:java}
> <java.lang.String>1234</java.lang.String> {code}
> Then with curl:
> {code:java}
> curl --data '@deser.xml' http://localhost:12345 {code}
> I get the following stacktrace:
> {code:java}
> <h3>Caused by:</h3><pre>java.lang.ClassCastException: class java.lang.String 
> cannot be cast to class org.apache.activemq.command.Command (java.lang.String 
> is in module java.base of loader &apos;bootstrap&apos;; 
> org.apache.activemq.command.Command is in unnamed module of loader 
> java.net.URLClassLoader @6ce139a4)      at 
> org.apache.activemq.transport.http.HttpTunnelServlet.doPost(HttpTunnelServlet.java:137)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:681) at 
> javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at 
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)       
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:554) 
>   at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) 
>        at 
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:722)
>        at 
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600)  
> at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
>       at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
>     at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
>    at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
>      at 
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)    
> at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
>      at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
>     at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) 
>        at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
>       at org.eclipse.jetty.server.Server.handle(Server.java:516)      at 
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)   
> at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)  at 
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)    at 
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)  
> at 
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
>   at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)    at 
> org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
>        at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
>      at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
>     at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137)
>        at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
>      at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
>         at java.base/java.lang.Thread.run(Thread.java:829)</pre>
> </body></html> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact

Reply via email to