Bug 777741 (SOA-257)

Summary: JSP source code exposure in jmx-console in production setup
Product: [JBoss] JBoss Enterprise SOA Platform 4 Reporter: Marc Schoenefeld <mschoene>
Component: ConfigurationAssignee: Julian Coleman <jcoleman>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 4.2 Beta 1   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-257
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 777742 (view as bug list) Environment:
[mschoene@mschoene ~]$ uname -a Linux mschoene.csb 2.6.18-8.1.8.el5 #1 SMP Mon Jun 25 17:06:19 EDT 2007 i686 i686 i386 GNU/Linux [mschoene@mschoene ~]$ java -version java version "1.5.0_13" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-b05) Java HotSpot(TM) Server VM (build 1.5.0_13-b05, mixed mode) 13:06:22,418 INFO [Server] Starting JBoss (MX MicroKernel)... 13:06:22,444 INFO [Server] Release ID: JBoss [EAP] 4.3.0.GA (build: SVNTag=JBPAPP_4_3_0_GA date=200712141443) 13:06:22,445 INFO [Server] Home Dir: /NotBackedUp/software/soabeta1/jboss-soa-p.4.2.0/jboss-as 13:06:22,445 INFO [Server] Home URL: file:/NotBackedUp/software/soabeta1/jboss-soa-p.4.2.0/jboss-as/ 13:06:22,446 INFO [Server] Patch URL: null 13:06:22,446 INFO [Server] Server Name: production
Last Closed: 2010-01-04 16:07:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marc Schoenefeld 2008-01-02 14:33:06 UTC 
Complexity: Low
Date of First Response: 2008-01-03 13:33:29
Workaround Description: In SOA production setup use neutral error pages to displaying HTTP 404, 500 errors. 
project_key: SOA

The error page of the jmx-console spits out JSP source code, 
which is not desirable for the SOA production setup as exception 
messages could leak technical data to attackers.  Maybe a more 
general JBAPP problem. 

http://127.0.0.1:8080/jmx-console/DisplayOpResult

HTTP Status 500 -

type Exception report
message

description The server encountered an internal error () that prevented it from fulfilling this request.
exception
org.apache.jasper.JasperException: An exception occurred processing JSP page /displayOpResult.jsp at line 12

9: </head>
10: <body>
11: 
12: <jsp:useBean id='opResultInfo' type='org.jboss.jmx.adaptor.control.OpResultInfo' scope='request'/>
13: 
14: <table width="100%">
15:    <table>


Stacktrace:
	org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:518)
	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:411)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

root cause

javax.servlet.ServletException: java.lang.InstantiationException: bean opResultInfo not found within scope
	org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:855)
	org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:784)
	org.apache.jsp.displayOpResult_jsp._jspService(displayOpResult_jsp.java:145)
	org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:387)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

root cause

java.lang.InstantiationException: bean opResultInfo not found within scope
	org.apache.jsp.displayOpResult_jsp._jspService(displayOpResult_jsp.java:67)
	org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:387)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

note The full stack trace of the root cause is available in the JBossWeb/2.0.0.GA_CP05 logs.
Comment 2 Mark Little 2008-01-07 23:48:02 UTC 
Yes, I agree. Can you move it, or create a linked issue in EAP Marc?
Comment 3 Mark Little 2008-02-26 23:15:24 UTC 
Marc, did you create an EAP issue for this?
Comment 5 Mark Little 2008-03-15 11:50:24 UTC 
Link: Added: This issue depends JBPAPP-529
Comment 6 Mark Little 2008-06-06 12:23:42 UTC 
Need to monitor the related link and check fix when it appears.
Comment 7 Julian Coleman 2008-08-27 08:32:31 UTC 
The source code is no longer displayed with 4.3.0 IR2. as the URL:

  http://127.0.0.1:8080/jmx-console/DisplayOpResult

does not result in an error.
Comment 8 Jiri Pechanec 2008-09-16 05:38:35 UTC 
The root issue - JSP code exposure is still there, try this URL
http://localhost:8080/jmx-console/cluster/clusterView.jsp
Comment 9 Julian Coleman 2008-09-16 15:17:29 UTC 
This appears to be a problem with EAP 4.3.0 CP02.
It is unlikely that it will be fixed for SOA 4.3.0 GA.
Comment 10 nwallace 2008-09-26 06:37:34 UTC 
Link: Added: This issue related SOA-875
Comment 11 Mark Little 2008-11-04 15:02:38 UTC 
Removed FP01 Fix since we do not put bug fixes into FPs.
Comment 12 Len DiMaggio 2008-12-16 20:14:47 UTC 
Seeing this in 4.2 CP03 - for example JSP code displayed with http://localhost:8080/jmx-console/cluster/clusterView.jsp
Comment 13 nwallace 2009-01-12 08:50:24 UTC 
Link: Added: This issue related SOA-1118
Comment 14 Julian Coleman 2009-05-06 13:05:05 UTC 
Fixed with revision 3017 of:
  build-tools/builders/soa/p-consoles/build.xml
  build-tools/builders/soa/p-consoles/jmx-console/web.xml

Commit message:
  JIRA: SOA-257 
  Don't overwrite the EAP JMX console web.xml.  
  We now see the fix for JBPAPP-529 too.
Comment 15 Jiri Pechanec 2010-01-04 16:07:33 UTC 
Verified in ER6