Description
Currently the StrutsPortlet always renders the full stack trace into the portlet when an error occurs. This may be critical concerning security issues.
With the supplied patch the error message can be loaded via resource bundle (per portlet ). The message can contain place holders which will be replaced by specific error data.
Example:
- specify portlet resources in portlet xml:
<resource-bundle>JPetstorePortletResources</resource-bundle> - specify error message inside bundle:
<code>
- Message to be rendered in HTML when unhandled ERROR in StrutsPortlet occured (exception).
- {ErrorCode} = will be replaced by StrutsPortletErrorContext.getErrorCode (blank if not set)
# {ErrorMessage} = will be replaced by StrutsPortletErrorContext.getErrorMessage (blank if not set)
# {Exception.Message} = will be replaced by StrutsPortletErrorContext.getError.getMessage -> e.g. when ServletException (blank if not set)
# {Exception.Class.Name} = will be replaced by StrutsPortletErrorContext.getError.getClass.getName -> e.g. when ServletException (blank if not set)
# {Exception.StackTrace} = will be replaced by StrutsPortletErrorContext.getError.getStackTrace -> e.g. when ServletException (blank if not set)
# former default in code:
strutsportlet.error.output=<hr/><h2>Error</h2><table border='1'><tr><td valign='top'><b>Error Code</b></td><td>{ErrorCode}</td></tr><tr><td valign='top'><b>Error Message</b></td><td>
{ErrorMessage}</td></tr><tr><td valign='top'><b>Error</b></td><td>
{Exception.Message}</td></tr><tr><td valign='top'><b>Error Type</b></td><td>
{Exception.Class.Name}</td></tr><tr><td valign='top'><b>Stacktrace</b></td><td>
{Exception.StackTrace}</td></tr></table>
<code>
If no bundle or message is specified, the patch reduces the default output to "Error" without rendering specific error data (stack trace ...).
CAUTION: The bundle is only supplied for the JPETSTORE Portlet. All other Struts Portlet do output only "Error" when rendering an error. This behavior can be changed in the StrutsPortlet.java (commented).
The default configuration in the bundle supplied is to output the error information as it was before.