[NXP-23861] Raising an exception while using REST shows the whole stack trace - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 8.10, 9.2
Fix Version/s: 8.10-HF25, 9.10-HF02, 10.1
Component/s: Rest API, WebEngine

Release Notes Summary:
Stack trace information is excluded from the REST API response body by default when there is an exception.
Tags:
- SupCom
- nxfit
Backlog priority:
500
Upgrade notes:
Hide

Nuxeo version >= 10.1

By default, the exception stack trace is not written in the returned response when using the REST API. If you want to have it back, you need to set the nuxeo.conf parameter org.nuxeo.rest.stack.enable to true.
See https://doc.nuxeo.com/nxdoc/error-handling/ for more information.

Nuxeo version < 10.1

The exception stack trace is still written if the media type is application/json+nxentity but it can be disabled for security reason with the nuxeo.rest.write.exception.stack.trace configuration parameter, which is set to true by default.

To disable it:

<extension target="org.nuxeo.runtime.ConfigurationService" point="configuration"> <property name="nuxeo.rest.write.exception.stack.trace">false</property> </extension>
Show
Nuxeo version >= 10.1 By default, the exception stack trace is not written in the returned response when using the REST API. If you want to have it back, you need to set the nuxeo.conf parameter org.nuxeo.rest.stack.enable to true . See https://doc.nuxeo.com/nxdoc/error-handling/ for more information. Nuxeo version < 10.1 The exception stack trace is still written if the media type is application/json+nxentity but it can be disabled for security reason with the nuxeo.rest.write.exception.stack.trace configuration parameter, which is set to true by default. To disable it: <extension target= "org.nuxeo.runtime.ConfigurationService" point= "configuration" > <property name= "nuxeo. rest .write.exception.stack.trace" > false </property> </extension>
Sprint:
nxfit 10.1.5
Story Points:
3

Description

Install Nuxeo 8.10
Install ffischer-8-rest-test.zip package
copy jar file event-test-project-core-1.0-SNAPSHOT.jar
Start server
create a document of type myDoc
retrieve its id by exporting it as XML for example

try to modify it through rest:

curl -u Administrator:Administrator -H "Content-Type: application/json" -X PUT http://localhost:8080/nuxeo/api/v1/id/beed4b9d-611e-4e0d-b46a-ac3fe5afc53a -d '{
        "entity-type": "document",
        "repository": "default",
        "uid": "4fe2843b-298c-42dd-bc32-4180ee521761",
        "properties": {
            "dc:title": "The new title",
            "dc:description": "Attempt to update through REST API"
        }
    }'

this returns the full stack of the exception
setting the parameter org.nuxeo.rest.stack.enable to false does not change the behavior
the same could be observed in a unit test by trying the JsonFactoryManager.toggleStackDisplay method

After checking with dev in a debug session, this is due to the following code in JsonWebengineWriter:

if (jsonFactoryManager.isStackDisplay()
                || MediaType.valueOf(MediaType.APPLICATION_JSON + "+nxentity").equals(mediaType)) {

When raising the exception, at some point the type is changed from application/json to application/nx+entity thus falsing the above condition.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

event-test-project-core-1.0-SNAPSHOT.jar
4 kB
2017-12-06 11:32
ffischer-8-rest-test.zip
9 kB
2017-12-06 11:32

Issue Links

duplicates

NXP-23934 Do not send the whole exception stack trace by default

Open

Activity

People

Assignee:

Thomas Roger

Reporter:

Frantz Fischer

Participants:

Frantz Fischer, Jenkins, Thomas Roger

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2017-12-06 11:31

Updated:

2018-03-06 14:57

Resolved:

2018-02-19 11:17

Time Tracking

Estimated:

Remaining:

Logged: