Customizing Exception Stacktrace In HTTP Response
(Doc ID 1534693.1)
Last updated on JUNE 29, 2017
Applies to:Oracle WebCenter Portal - Version 22.214.171.124.0 to 126.96.36.199.5 [Release 11g]
Information in this document applies to any platform.
Using WSRP portlets:
When calling resource proxy with an expired handle, exception stacktrace is returned in HTTP response.
The request here is to handle the exception and include a generic error message instead of a stacktrace.
This may include intercepting the HTTP response.
There is the Interceptor Framework (http://docs.oracle.com/cd/E13218_01/wlp/docs102/federation/Chap-Interceptors.html)
which seems to allow to modify the HTTP response using the postInvoke() method, but this framework seems to not be supported anymore.
Exception that is returned in the HTTP response:
oracle.portlet.wsrp.WSRPRemoteException: java.rmi.RemoteException: ; nested HTTP transport error: java.net.SocketTimeoutException: Read timed out
oracle.portlet.client.container.PortletTimeoutException: oracle.portlet.wsrp.HTTP transport error: java.net.SocketTimeoutException: Read timed out
Steps to reproduce the issue :
1) Deploy application
2) Assume the deploy it's to a local server, go to this link: localhost:7101/portal-ViewController-context-root/faces/untitled1.jspx
3) Try modifying the link from one of the requests sent to the portlet (We use FireBug for this), for example change the portletID -
A Java.net.MalformedException is shown in the HTTP response. This happens with any exception that happens on portlet side, e.g. PortletTimeoutException.
Attached there is a .swf flash video file that shows how the two applications can be deployed using JDeveloper, and how the exception can then be reproduced in the browser.
The browser used is Mozilla Firefox with the FireBug plugin.
A user however can try to modify the url to get some information about the technologies used in the application. This is a potential threat.
This is why the achievement is to handle the exceptions that resourceproxy throws, and not send the full stack trace to the browser.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!