tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Chaffee <>
Subject Re: Security: printStackTrace :-)
Date Tue, 15 Aug 2000 09:45:22 GMT
> In Logger we do a printStackTrace for the original exception ( can be
> ServletException ) and also on the "rootCause" exception ( using
> getRootCause). This is a very useful information and feature, but it may
> open a wrong door.

If we disable printStackTrace, we should do so via a flag in
server.xml.  Make the secure option default the default, but put a
comment describing the tradeoff.  I think we already talked about
disabling stack traces on error pages, but it seems like nobody did
anything about it, since I still see stack traces occasionally.

But hmm, if there is a problem like you describe, it applies both to
printStackTrace onto a web page *and* into a log file... Hope you're
just being paranoid :-)

Alex Chaffee             
jGuru - Java News and FAQs
Creator of Gamelan       
Founder of Purple Technology
Curator of Stinky Art Collective

View raw message