cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Glen Mazza (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-4684) SOAPFault message improvement in CXF when there is unchecked NPE
Date Mon, 17 Dec 2012 21:10:12 GMT

    [ https://issues.apache.org/jira/browse/CXF-4684?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13534306#comment-13534306
] 

Glen Mazza commented on CXF-4684:
---------------------------------

Thanks.  A configuration property seems like a very workable idea; if you go that route you
might wish to default it to what it was before this patch was applied, lest we wait and end
up needing to default it to the less-secure option out of concern for backwards compatibility.
 Also, by keeping "Fault occurred while processing" as the default we can get people wanting
something else to show up on the mailing list, where we can (1) inform them of this new property
and (2) make sure they are in fact aware that they shouldn't be sending sensitive internal
error messages back to the client (if that is, in fact, their intention.)
                
> SOAPFault message improvement in CXF when there is unchecked NPE
> ----------------------------------------------------------------
>
>                 Key: CXF-4684
>                 URL: https://issues.apache.org/jira/browse/CXF-4684
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.6.2
>            Reporter: Bin Zhu
>            Assignee: Aki Yoshida
>         Attachments: CXF-4684.patch
>
>
> When there is unchecked NPE thrown, the SOAPFault in CXF will only throw the "Fault occurred
while processing." message rather than the original NPE message.
> Analysis:
> 1. In org.apache.cxf.binding.soap.interceptor.Soap11FaultOutInterceptor and org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor,
> It will check fault.getMessage() :
>                 if (fault.getMessage() != null) {
>                     if (message.get("forced.faultstring") != null) {
>                         writer.writeCharacters((String) message.get("forced.faultstring"));
>                     } else {
>                         writer.writeCharacters(fault.getMessage());
>                     }
>                 } else {
>                     writer.writeCharacters("Fault occurred while processing.");
>                 }
> But for NPE, the fault.getMessage() will return null instead of the "java.lang.NullPointerException"
in the getMessage() in NPE.
> 2. 
> Fault.getMessage will return null in the NPE scenario while it's super class Throwable
will not.
> When there is NPE, the message attribute in Fault is null while the detailMessageAtrribute
is "java.lang.NullPointerException".
> Details:
> SoapFault->Fault->UncheckedException->RuntimeException->Exception->Throwable.
//  SoapFault->Fault means SoapFault class extends Fault class
> UncheckedException.getMessage:
>     public String getMessage() {
>         if (null != message) {
>             return message.toString();
>         }
>         return null;
>     }
> Throwable.getMessage:
> public String getMessage() {
> 	return detailMessage;
> }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message