cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: svn commit: r1089385 - /cxf/trunk/api/src/main/java/org/apache/cxf/interceptor/Fault.java
Date Wed, 06 Apr 2011 10:35:03 GMT

I think I'm -1 to this change.   To me, this looks like it may leak security 
information and such to the client.

The only message sent back to the client should be the top level message.   
The "causes" should be logged server side and not reflected back.  If there 
are certain places where we CAN send back a specific cause, we should just do 
that.   We specifically don't send the stacks and such back to the client (by 
default) exactly for that reason.


In the case of the SAAJIn, if it's an XMLStreamException, just do something 
like:

throw new SoapFault(new org.apache.cxf.common.i18n.Message(
                    e.getMessage(), BUNDLE), e, message
                    .getVersion().getSender());

Dan



On Wednesday 06 April 2011 6:21:42 AM ningjiang@apache.org wrote:
> Author: ningjiang
> Date: Wed Apr  6 10:21:42 2011
> New Revision: 1089385
> 
> URL: http://svn.apache.org/viewvc?rev=1089385&view=rev
> Log:
> CXF-3442 Fault should not swallow the cause exception message
> 
> Modified:
>     cxf/trunk/api/src/main/java/org/apache/cxf/interceptor/Fault.java
> 
> Modified: cxf/trunk/api/src/main/java/org/apache/cxf/interceptor/Fault.java
> URL:
> http://svn.apache.org/viewvc/cxf/trunk/api/src/main/java/org/apache/cxf/in
> terceptor/Fault.java?rev=1089385&r1=1089384&r2=1089385&view=diff
> ==========================================================================
> ==== --- cxf/trunk/api/src/main/java/org/apache/cxf/interceptor/Fault.java
> (original) +++
> cxf/trunk/api/src/main/java/org/apache/cxf/interceptor/Fault.java Wed Apr 
> 6 10:21:42 2011 @@ -44,7 +44,13 @@ public class Fault extends
> UncheckedExce
> 
>      public Fault(Message message, Throwable throwable) {
>          super(message, throwable);
> -        this.message = message.toString();
> +        StringBuffer buffer = new StringBuffer();
> +        buffer.append(message.toString());
> +        if (throwable != null) {
> +            buffer.append(" Caused by :");
> +            buffer.append(throwable.getMessage());
> +        }
> +        this.message = buffer.toString();
>          code = FAULT_CODE_SERVER;
>      }

-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com

Mime
View raw message