-
Task
-
Resolution: Won't Do
-
Low
-
None
-
Amsterdam Release, Beijing Release, Casablanca Release
-
None
-
Policy Casablanca - 3
REST API interfaces in PAP returns html wrapped with exceptions generated by tomcat that leak quite a bit of information about tomcat, version, stack trace information, etc .. This is usually flagged by security tools and frowned about by the security community and REST API clients.
It is suggested that the servlet code, catches all exceptions and only perhaps relay the "error message" before returning control to servlet engine middleware.
This is an example leaked stack trace when the test interface is called, but will apply to any exception generated while processing http request invokations.
HTTP Request: GET http://pap:9091/pap/test
HTTP Response: 500
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.23 - Error report</title><style type=\"text/css\">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - PE200 - System Error: PAP not initialized; unexpected error: javax.persistence.PersistenceException: Query failed trying to check if group default exists</h1><div class=\"line\"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>PE200 - System Error: PAP not initialized; unexpected error: javax.persistence.PersistenceException: Query failed trying to check if group default exists</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b></p><pre>javax.servlet.ServletException: PE200 - System Error: PAP not initialized; unexpected error: javax.persistence.PersistenceException: Query failed trying to check if group default exists\n\torg.onap.policy.pap.xacml.rest.XACMLPapServlet.init(XACMLPapServlet.java:346)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.23 logs.</u></p><hr class=\"line\"><h3>Apache Tomcat/8.0.23</h3></body></html>