a security reporting tool fortify gave following report about the security bugs in our code.
if a Servlet fails to catch all exceptions, it might reveal debugging information that will help an adversary form a plan of attack
All top-level Servlet methods should catch Throwable, thereby minimizing the chance that the Servlet's error response
mechanism is invoked.
but didn't catching everything is a bad programming style.
OCPJP 6(100 %) OCEWCD 6(91 %)
Joined: Aug 27, 2012
As a general rule yes but in this case if you don't catch everything then there is a good chance that the exception stack trace will be sent as the Servlet response (used to happen in Tomcat years ago but I don't know about the latest Tomcat) which could be classed as a security issue. If you catch everything then your exception handler should log the problem and forward the Servlet to some suitable error page. This way you give nothing away to the user other than to inform him there was a problem.
Note - you are not ignoring the exception ( that would be bad) but you are handling it in a positive constructive manner.
Richard is right. You should catch all your possible bussiness exceptions and deal with them in the best way possible (maybe redirecting to an error page). For the runtime or unknown exceptions you can catch them in an aspect that will be applied it to all your classes instead of handling this in each class of your app. You can do this with AspectJ or Spring.
Actually, best practices are that servlets should not capture exceptions individually -- rather, an error handler can be established in the deployment descriptor that handles exceptions in a consistent manner.
Why cut and paste the same code into each and every servlet when a better mechanism exists?