This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Servlets and the fly likes help needed in fixing security issue ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "help needed in fixing security issue ?" Watch "help needed in fixing security issue ?" New topic

help needed in fixing security issue ?

gurpeet singh
Ranch Hand

Joined: Apr 04, 2012
Posts: 924

a security reporting tool fortify gave following report about the security bugs in our code.

Abstract :
if a Servlet fails to catch all exceptions, it might reveal debugging information that will help an adversary form a plan of attack

All top-level Servlet methods should catch Throwable, thereby minimizing the chance that the Servlet's error response
mechanism is invoked.

but didn't catching everything is a bad programming style.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1037

As a general rule yes but in this case if you don't catch everything then there is a good chance that the exception stack trace will be sent as the Servlet response (used to happen in Tomcat years ago but I don't know about the latest Tomcat) which could be classed as a security issue. If you catch everything then your exception handler should log the problem and forward the Servlet to some suitable error page. This way you give nothing away to the user other than to inform him there was a problem.

Note - you are not ignoring the exception ( that would be bad) but you are handling it in a positive constructive manner.
Esteban Herrera

Joined: Dec 25, 2004
Posts: 21

Richard is right. You should catch all your possible bussiness exceptions and deal with them in the best way possible (maybe redirecting to an error page). For the runtime or unknown exceptions you can catch them in an aspect that will be applied it to all your classes instead of handling this in each class of your app. You can do this with AspectJ or Spring.
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 60822

Actually, best practices are that servlets should not capture exceptions individually -- rather, an error handler can be established in the deployment descriptor that handles exceptions in a consistent manner.

Why cut and paste the same code into each and every servlet when a better mechanism exists?

[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
subject: help needed in fixing security issue ?
Similar Threads
Security in Servlet
Java Mail Sending troubleshooting
Applet-Servlet Communication
HTTP Status 404 - Servlet Not Found