Win a copy of Learning OpenStack Networking: Build a solid foundation in virtual networking technologies for OpenStack-based clouds this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Knute Snortum
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Ganesh Patekar
  • Stephan van Hulst
  • Pete Letkeman
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Ron McLeod
  • Vijitha Kumara

help needed in fixing security issue ?  RSS feed

 
Ranch Hand
Posts: 924
1
Fedora Java Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
a security reporting tool fortify gave following report about the security bugs in our code.

Abstract :
if a Servlet fails to catch all exceptions, it might reveal debugging information that will help an adversary form a plan of attack

Recommendations:
All top-level Servlet methods should catch Throwable, thereby minimizing the chance that the Servlet's error response
mechanism is invoked.

but didn't catching everything is a bad programming style.
 
Bartender
Posts: 1166
17
Java Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As a general rule yes but in this case if you don't catch everything then there is a good chance that the exception stack trace will be sent as the Servlet response (used to happen in Tomcat years ago but I don't know about the latest Tomcat) which could be classed as a security issue. If you catch everything then your exception handler should log the problem and forward the Servlet to some suitable error page. This way you give nothing away to the user other than to inform him there was a problem.

Note - you are not ignoring the exception ( that would be bad) but you are handling it in a positive constructive manner.
 
author
Ranch Hand
Posts: 42
1
Eclipse IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Richard is right. you should catch all your possible bussiness exceptions and deal with them in the best way possible (maybe redirecting to an error page). For the runtime or unknown exceptions you can catch them in an aspect that will be applied it to all your classes instead of handling this in each class of your app. You can do this with AspectJ or Spring.
 
Author and ninkuma
Marshal
Posts: 66805
168
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, best practices are that servlets should not capture exceptions individually -- rather, an error handler can be established in the deployment descriptor that handles exceptions in a consistent manner.

Why cut and paste the same code into each and every servlet when a better mechanism exists?
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!