Customizing Exception Stacktrace In HTTP Response (Doc ID 1534693.1)

Last updated on JUNE 29, 2017

Applies to:

Oracle WebCenter Portal - Version 11.1.1.6.0 to 11.1.1.6.5 [Release 11g]
Information in this document applies to any platform.

Symptoms

Using WSRP portlets:

When calling resource proxy with an expired handle, exception stacktrace is returned in HTTP response.

The request here is to handle the exception and include a generic error message instead of a stacktrace.
This may include intercepting the HTTP response.

There is the Interceptor Framework (http://docs.oracle.com/cd/E13218_01/wlp/docs102/federation/Chap-Interceptors.html)
which seems to allow to modify the HTTP response using the postInvoke() method, but this framework seems to not be supported anymore.

Endpoint example:

/FOPortalApplication-FOPortalUI-context-root/resourceproxy/k-4223f8684da9f3f1805efb986ef4512a9e6a689f/containerview

Exception that is returned in the HTTP response:

oracle.portlet.wsrp.WSRPRemoteException: java.rmi.RemoteException: ; nested HTTP transport error: java.net.SocketTimeoutException: Read timed out
<!--
oracle.portlet.client.container.PortletTimeoutException: oracle.portlet.wsrp.HTTP transport error: java.net.SocketTimeoutException: Read timed out
...

 
Steps to reproduce the issue :


1) Deploy application
2) Assume the deploy it's to a local server, go to this link: localhost:7101/portal-ViewController-context-root/faces/untitled1.jspx

3) Try modifying the link from one of the requests sent to the portlet (We use FireBug for this), for example change the portletID -

A Java.net.MalformedException is shown in the HTTP response. This happens with any exception that happens on portlet side, e.g. PortletTimeoutException.

Attached there is a .swf flash video file that shows how the two applications can be deployed using JDeveloper, and how the exception can then be reproduced in the browser.

The browser used is Mozilla Firefox with the FireBug plugin.

A user however can try to modify the url to get some information about the technologies used in the application. This is a potential threat.

This is why the achievement is to handle the exceptions that resourceproxy throws, and not send the full stack trace to the browser.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms