It's not a secret anymore!
The moose likes Servlets and the fly likes help needed in fixing security issue ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "help needed in fixing security issue ?" Watch "help needed in fixing security issue ?" New topic

help needed in fixing security issue ?

gurpeet singh
Ranch Hand

Joined: Apr 04, 2012
Posts: 924

a security reporting tool fortify gave following report about the security bugs in our code.

Abstract :
if a Servlet fails to catch all exceptions, it might reveal debugging information that will help an adversary form a plan of attack

All top-level Servlet methods should catch Throwable, thereby minimizing the chance that the Servlet's error response
mechanism is invoked.

but didn't catching everything is a bad programming style.
Richard Tookey

Joined: Aug 27, 2012
Posts: 1166

As a general rule yes but in this case if you don't catch everything then there is a good chance that the exception stack trace will be sent as the Servlet response (used to happen in Tomcat years ago but I don't know about the latest Tomcat) which could be classed as a security issue. If you catch everything then your exception handler should log the problem and forward the Servlet to some suitable error page. This way you give nothing away to the user other than to inform him there was a problem.

Note - you are not ignoring the exception ( that would be bad) but you are handling it in a positive constructive manner.
Esteban Herrera
Ranch Hand

Joined: Dec 25, 2004
Posts: 41

Richard is right. You should catch all your possible bussiness exceptions and deal with them in the best way possible (maybe redirecting to an error page). For the runtime or unknown exceptions you can catch them in an aspect that will be applied it to all your classes instead of handling this in each class of your app. You can do this with AspectJ or Spring.

Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63852

Actually, best practices are that servlets should not capture exceptions individually -- rather, an error handler can be established in the deployment descriptor that handles exceptions in a consistent manner.

Why cut and paste the same code into each and every servlet when a better mechanism exists?

[Asking smart questions] [About Bear] [Books by Bear]
I agree. Here's the link:
subject: help needed in fixing security issue ?
It's not a secret anymore!