Announcement Announcement Module
Collapse
No announcement yet.
Default Error Translation Includes Exception Message for Internal Errors? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Default Error Translation Includes Exception Message for Internal Errors?

    Hi folks,

    Some of our server side code was in error and throwing exceptions. I noticed that Spring Security Oauth2 was sharing the message of the exception with the our client via the error_description field. While the message of the exception is something that is very valuable for our trace logs, it is not something that we are necessarily comfortable sharing over our web service interface; especially from a security perspective.

    Here's an example:

    Code:
    {
        "error": "unauthorized",
        "error_description": "result returns more than one elements; nested exception is javax.persistence.NonUniqueResultException: result returns more than one elements"
    }
    In this case we have Spring Security's AuthenticationServiceException wrapping Spring's IncorrectResultSizeDataAccessException. If I look up AuthenticationServiceException, I see that it is "Thrown if an authentication request could not be processed due to a system problem".

    Spring Security Oauth2's DefaultWebResponseExceptionTranslator is sharing the message of AuthenticationServiceException (which is sharing the message of IncorrectResultSizeDataAccessException).

    My thinking is that the messages for exceptions from sources other than Spring Security or Spring Security Oauth2 should not be shared over the wire.

    What do you think?

    -Lee-

  • #2
    Sounds reasonable, and I'm certainly open to suggestion. With 1.1 in the pipeline now is a good time to propose or implement new features.

    Comment

    Working...
    X