[cvs] expresso commit by rimovm: -Fixed Security Error it JSP Error
Pages
JCorporate Ltd
jcorp at jcorporate.com
Tue Mar 15 16:03:29 UTC 2005
Log Message:
-----------
-Fixed Security Error it JSP Error Pages
-Dynamic Stylesheet switching for other error pages.
-New <expresso:exception/> tag to print exceptions on error pages.
Modified Files:
--------------
expresso/expresso-web/WEB-INF/tld:
expresso.tld
expresso/expresso-web/expresso/doc:
ChangeLog.xml
expresso/expresso-web/expresso:
error.jsp
expresso/expresso-web/expresso/jsp:
showerror.jsp
Revision Data
-------------
Index: expresso.tld
===================================================================
RCS file: /home/javacorp/.cvs/expresso/expresso/expresso-web/WEB-INF/tld/expresso.tld,v
retrieving revision 1.31
retrieving revision 1.32
diff -Lexpresso-web/WEB-INF/tld/expresso.tld -Lexpresso-web/WEB-INF/tld/expresso.tld -u -r1.31 -r1.32
--- expresso-web/WEB-INF/tld/expresso.tld
+++ expresso-web/WEB-INF/tld/expresso.tld
@@ -1,4 +1,5 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
+<!-- edited with XMLSpy v2005 sp2 U (http://www.altova.com) by Michael Rimov (Centerline Computers) -->
<!DOCTYPE taglib PUBLIC "-//Sun Microsystems, Inc.//DTD JSP Tag Library 1.1//EN"
"http://java.sun.com/j2ee/dtds/web-jsptaglibrary_1_1.dtd">
<taglib>
@@ -76,7 +77,6 @@
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
-
<attribute>
<name>header</name>
<required>false</required>
@@ -752,5 +752,11 @@
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
+ </tag>
+ <tag>
+ <name>exception</name>
+ <tagclass>com.jcorporate.expresso.services.taglib.PrintExceptionTag</tagclass>
+ <bodycontent>empty</bodycontent>
+ <info>A tag to log exceptions and print stack trace to client JSP ONLY if it is so defined inside the Configuration File for the expresso context.</info>
</tag>
</taglib>
Index: ChangeLog.xml
===================================================================
RCS file: /home/javacorp/.cvs/expresso/expresso/expresso-web/expresso/doc/ChangeLog.xml,v
retrieving revision 1.294
retrieving revision 1.295
diff -Lexpresso-web/expresso/doc/ChangeLog.xml -Lexpresso-web/expresso/doc/ChangeLog.xml -u -r1.294 -r1.295
--- expresso-web/expresso/doc/ChangeLog.xml
+++ expresso-web/expresso/doc/ChangeLog.xml
@@ -12,10 +12,18 @@
</explanation>
<contributor>Francesco Galli</contributor>
</new-feature>
+ <new-feature title="Dynamic Stylesheet selection in Error Pages">
+ <explanation>Error Pages not use stylesheet tag to allow dynamic stylesheet selection based on Setup table values.</explanation>
+ <contributor>Michael Rimov</contributor>
+ </new-feature>
<bug-fix title="JobQueue entries are now deleted when requesting user is deleted">
<explanation>When a user was deleted, their JobQueue entries were not. This is now fixed.
</explanation>
<contributor>Mike Traum</contributor>
+ </bug-fix>
+ <bug-fix title="Security Fix in JSP Error Page">
+ <explanation>JSP Error pages were printing stack traces whether stack trace was enabled or not. Added <expresso:exception/> tag to handle the logic behind whether to display or not.</explanation>
+ <contributor>Michael Rimov</contributor>
</bug-fix>
<misc-change title="Removed 'Self-Registered Users' link from Admin setup page">
<explanation>'Self-Registered Users' users was specific to a registration domain, so it has been
Index: error.jsp
===================================================================
RCS file: /home/javacorp/.cvs/expresso/expresso/expresso-web/expresso/error.jsp,v
retrieving revision 1.12
retrieving revision 1.13
diff -Lexpresso-web/expresso/error.jsp -Lexpresso-web/expresso/error.jsp -u -r1.12 -r1.13
--- expresso-web/expresso/error.jsp
+++ expresso-web/expresso/error.jsp
@@ -12,29 +12,6 @@
<%@ page import="org.apache.log4j.Logger" %>
<%@ page import="com.jcorporate.expresso.core.misc.StringUtil" %>
-
-<%
- try {
- Logger log = Logger.getLogger("com.jcorporate.expresso.jsp");
- FastStringBuffer fsb = new FastStringBuffer(256);
- fsb.append("JSP Page Exception: user requested '");
- fsb.append(StringUtil.notNull(request.getRequestURI()) );
- String queryString = StringUtil.notNull(request.getQueryString());
- if (queryString.length() > 0) {
- fsb.append("?");
- fsb.append(queryString);
- }
- fsb.append("'");
- if (exception != null) {
- log.error(fsb.toString(), exception);
- } else {
- log.error(fsb.toString());
- }
- } catch(Exception e) {
- System.err.println("Error attempting to form basic logging information: " + e.getMessage());
- }
-%>
-
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
@@ -43,28 +20,14 @@
<html:base/>
</head>
-<body bgcolor="white">
+<body class="jc-default">
-<P CLASS="jc-errorheader" ALIGN="center">
-Message to User</P>
-<p align="center">The function you requested did not complete - an error occurred on a JSP page.
+<p class="jc-errorheader" align="center">
+Message to User</p>
+<p>The function you requested did not complete - an error occurred on a JSP page.
Please report this error to your system administrator.</p>
-<li>You can examine the 'stack trace'
-(programmer information) below for more information about this problem. This stack trace has been logged.</li>
-
-<blockquote>
-<%
- if (exception != null) {
- ByteArrayOutputStream bos = new ByteArrayOutputStream();
- exception.printStackTrace(new PrintStream(bos));
- out.print(bos.toString());
- } else {
- out.print("<i>[No exception available in session]</i>");
- }
-
-%>
-</blockquote>
+<expresso:exception/>
</body>
</html>
Index: showerror.jsp
===================================================================
RCS file: /home/javacorp/.cvs/expresso/expresso/expresso-web/expresso/jsp/showerror.jsp,v
retrieving revision 1.14
retrieving revision 1.15
diff -Lexpresso-web/expresso/jsp/showerror.jsp -Lexpresso-web/expresso/jsp/showerror.jsp -u -r1.14 -r1.15
--- expresso-web/expresso/jsp/showerror.jsp
+++ expresso-web/expresso/jsp/showerror.jsp
@@ -10,7 +10,8 @@
<html:html locale="true">
<head>
<title>Error</title>
-<link rel="stylesheet" type="text/css" href="<expresso:Context/>/expresso/style/default.css">
+<expresso:stylesheet/>
+<%-- <link rel="stylesheet" type="text/css" href="<expresso:Context/>/expresso/style/default.css"> --%>
<html:base/>
</head>
@@ -32,7 +33,7 @@
<P CLASS="jc-errorheader" ALIGN="center">
This function is reserved for authorized users only.</P>
-<p align="center">You were denied access to the function you just requested.
+<p align="center">You were denied access to the function you just requested.
Please review the information below carefully to find out why & what you can do about it.</p>
<logic:equal name="errorType" value="security">
@@ -40,7 +41,7 @@
<p><font color="red"><strong>You are not logged in.</strong></font> As this problem is security-related, this is
almost certainly the problem. You should <html:link page="/Login.do" title="Log In">
Log In</html:link> and try again. If you do not have a User Name and Password, you can
-still use the <html:link page="/Login.do" title="Log In">Log In page</html:link>
+still use the <html:link page="/Login.do" title="Log In">Log In page</html:link>
to Register as a new user.</p>
</logic:equal>
</logic:equal>
@@ -52,7 +53,7 @@
<logic:notEqual name="errorType" value="security">
<P CLASS="jc-errorheader" ALIGN="center">
Message to User</P>
-<p align="center">The function you requested did not complete. Please read
+<p align="center">The function you requested did not complete. Please read
the information below carefully to find out why & what you can do about it.</p>
@@ -69,10 +70,10 @@
<li>Permission was denied for the requested function.</li>
</logic:equal>
-<li>The Controller object called
+<li>The Controller object called
<strong>"<bean:write property="controllerClass"/>"</strong>
reported a problem.</li>
-<li>The problem reported was
+<li>The problem reported was
<strong>"<bean:write property="exceptionMessage"/>"
</strong></li>
@@ -81,7 +82,7 @@
</logic:notPresent>
<logic:present property="errorNumber">
-<li>This problem reported itself as error number
+<li>This problem reported itself as error number
<bean:write property="errorNumber"/></li>
</logic:present>
@@ -91,14 +92,14 @@
</logic:present>
<logic:present property="nestedMessage">
-<li>An additional message of "<strong><beans:write property="nestedMessage"/></strong>" was also reported.</li>
+<li>An additional message of "<strong><bean:write property="nestedMessage"/></strong>" was also reported.</li>
</logic:present>
</ol>
<logic:equal name="userName" value="NONE">
-<p>You are not logged in, and are using
+<p>You are not logged in, and are using
database/context '<strong><bean:write property="db"/></strong>'</p>
</logic:equal>
@@ -121,9 +122,9 @@
<bean:define id="db" property="db" type="java.lang.String"/>
<logic:notEqual name="db" value="default">
-<li>You are working in the '<bean:write property="db"/>'
+<li>You are working in the '<bean:write property="db"/>'
<bean:write property="dbDescrip"/>
-database/context. If this is not the correct context for this function, you
+database/context. If this is not the correct context for this function, you
may need to <html:link page="/Login.do" title="Log In">Log In</html:link> to a
different context (perhaps the 'default' context) and try again.</li>
</logic:notEqual>
More information about the cvs
mailing list