-
Defect
-
Resolution: Won't Do
-
Major
-
1.0.0-M2
-
None
Stack traces can still be displayed through the user interface. The application should not be returning stack traces as a security measure. Stack traces can be used to glean information about how a hacker may attack a vulnerability in the site.
This was an important security violation we received on the previous system from the ORNL security scan.
Currently our global exception handling is dispatched through the Spring mechanism. This should be replaced by a top level web filter to catch all exceptions that come out of our application. This will handle all application generated messages, however Tomcat generated exception may still be visible, this may be handled by overriding Tomcats default error pages. For more information see: NATHAN LINK TO THE PAGE OVERRIDE ISSUE
This was an important security violation we received on the previous system from the ORNL security scan.
Currently our global exception handling is dispatched through the Spring mechanism. This should be replaced by a top level web filter to catch all exceptions that come out of our application. This will handle all application generated messages, however Tomcat generated exception may still be visible, this may be handled by overriding Tomcats default error pages. For more information see: NATHAN LINK TO THE PAGE OVERRIDE ISSUE
