cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Schneider <ch...@die-schneider.net>
Subject Re: svn commit: r1089385 - /cxf/trunk/api/src/main/java/org/apache/cxf/interceptor/Fault.java
Date Wed, 06 Apr 2011 13:48:34 GMT
Hi Dan,

I think the cause of the exception is very import to diagnose problems 
but I also understand that the leakage of security information is a big 
problem.

So how about introducing a config setting that controls if the cause and 
stacktrace is transmitted.
So for development systems the users may set the flag to true and for 
production systems they set it to false.

Christian


Am 06.04.2011 12:35, schrieb Daniel Kulp:
> I think I'm -1 to this change.   To me, this looks like it may leak security
> information and such to the client.
>
> The only message sent back to the client should be the top level message.
> The "causes" should be logged server side and not reflected back.  If there
> are certain places where we CAN send back a specific cause, we should just do
> that.   We specifically don't send the stacks and such back to the client (by
> default) exactly for that reason.
>
>
> In the case of the SAAJIn, if it's an XMLStreamException, just do something
> like:
>
> throw new SoapFault(new org.apache.cxf.common.i18n.Message(
>                      e.getMessage(), BUNDLE), e, message
>                      .getVersion().getSender());
>
> Dan
>
>
>
> On Wednesday 06 April 2011 6:21:42 AM ningjiang@apache.org wrote:
>> Author: ningjiang
>> Date: Wed Apr  6 10:21:42 2011
>> New Revision: 1089385
>>
>> URL: http://svn.apache.org/viewvc?rev=1089385&view=rev
>> Log:
>> CXF-3442 Fault should not swallow the cause exception message
>>
>> Modified:
>>      cxf/trunk/api/src/main/java/org/apache/cxf/interceptor/Fault.java
>>
>> Modified: cxf/trunk/api/src/main/java/org/apache/cxf/interceptor/Fault.java
>> URL:
>> http://svn.apache.org/viewvc/cxf/trunk/api/src/main/java/org/apache/cxf/in
>> terceptor/Fault.java?rev=1089385&r1=1089384&r2=1089385&view=diff
>> ==========================================================================
>> ==== --- cxf/trunk/api/src/main/java/org/apache/cxf/interceptor/Fault.java
>> (original) +++
>> cxf/trunk/api/src/main/java/org/apache/cxf/interceptor/Fault.java Wed Apr
>> 6 10:21:42 2011 @@ -44,7 +44,13 @@ public class Fault extends
>> UncheckedExce
>>
>>       public Fault(Message message, Throwable throwable) {
>>           super(message, throwable);
>> -        this.message = message.toString();
>> +        StringBuffer buffer = new StringBuffer();
>> +        buffer.append(message.toString());
>> +        if (throwable != null) {
>> +            buffer.append(" Caused by :");
>> +            buffer.append(throwable.getMessage());
>> +        }
>> +        this.message = buffer.toString();
>>           code = FAULT_CODE_SERVER;
>>       }

-- 
----
http://www.liquid-reality.de


Mime
View raw message