By default, JasperReports Server displays stack traces in certain error messages. Stack traces reveal some information about the application, and security experts recommend that an application not display them.
The following setting determines what error messages are displayed:
Hiding Stack Trace Messages | ||
Configuration File | ||
.../WEB-INF/applicationContext-security.xml | ||
Property | Bean | Description |
outputControlMap | exceptionOutput | Set the roles in the list for each the three levels of error details. Only users who have a given role will see that level of detail. See sample below. |
Error messages contain 3 parts: an ID, the stack trace, and a message. You can control which of these error message parts are displayed to users based on roles.
For example, in order for regular users to not see stack traces, remove ROLE_USER from the second list, resulting in the following configuration:
When configuring error messages, keep in mind the following:
• | We recommend the configuration shown above, so that users see a descriptive error message. |
• | You can turn off any or all error message parts, however, when both STACKTRACE and MESSAGE are not displayed to a user, a generic message is output instead. The generic message text is defined as follows: |
Generic Error Message | ||
Configuration File | ||
.../WEB-INF/bundles/jasperserver_messages*.properties | ||
Property | Value | |
generic.error.message | There was an error on the server. Try again or contact site administrators. <default> If you modify this message, be sure to update the translation in all language files of the bundle. |
• | If you do remove both STACKTRACE and MESSAGE for a given role, we recommend adding back ERROR_UID for that role. That way, the user will see the generic message and an ID that can be sent to administrators and correlated with events in the log file. |
If you make any changes to the error message configuration or bundles, restart your application server or redeploy the JasperReports Server web app.
Recommended Comments
There are no comments to display.