Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-4394

Do not output stack traces via web pages to user

    Details

    • Issue discovered during:
      Customer

      Description

      Currently, whenever we get some kind of internal server error, a default JBoss 500 page will be shown to the user, which includes a full stack trace.

      This can be considered a security vulnerability by some since it leaks implementation details about what went wrong.

      It would be better if instead the user would be landed on a customer page informing him/her that an internal error occurred, and pointing him to administrator of the EJBCA instance.

      After doing some searching around, it seems that the common practice to do away with this is to define customer error pages in web.xml (search for error-page tag).

      Additional notes:
      We could also have some other custom pages for errors, like 400, 404 etc. If I understood it right, the only small issue might be the error pages and settings would need to be present in every single war/web.xml. But build script could take care of deduplication somehow.

      As an additional feature, perhaps this behaviour could be configurable (for printing stack traces) - we already have an option in web.properties for this that could be reused/propagated for these custom error pages.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            branko Branko Majic (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: