Bug 778642 (SOA-1118)

Summary: JSP source code exposure in jmx-console in production setup
Product: [JBoss] JBoss Enterprise SOA Platform 4 Reporter: nwallace <nwallace>
Component: ConfigurationAssignee: Julian Coleman <jcoleman>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 4.2 Beta 1   
Target Milestone: ---   
Target Release: 4.3 CP02   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-1118
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
[mschoene@mschoene ~]$ uname -a Linux mschoene.csb 2.6.18-8.1.8.el5 #1 SMP Mon Jun 25 17:06:19 EDT 2007 i686 i686 i386 GNU/Linux [mschoene@mschoene ~]$ java -version java version "1.5.0_13" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-b05) Java HotSpot(TM) Server VM (build 1.5.0_13-b05, mixed mode) 13:06:22,418 INFO [Server] Starting JBoss (MX MicroKernel)... 13:06:22,444 INFO [Server] Release ID: JBoss [EAP] 4.3.0.GA (build: SVNTag=JBPAPP_4_3_0_GA date=200712141443) 13:06:22,445 INFO [Server] Home Dir: /NotBackedUp/software/soabeta1/jboss-soa-p.4.2.0/jboss-as 13:06:22,445 INFO [Server] Home URL: file:/NotBackedUp/software/soabeta1/jboss-soa-p.4.2.0/jboss-as/ 13:06:22,446 INFO [Server] Patch URL: null 13:06:22,446 INFO [Server] Server Name: production
Last Closed: 2009-08-28 16:24:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description nwallace 2009-01-12 08:48:21 UTC 
Complexity: Low
Date of First Response: 2009-01-13 09:00:07
Workaround Description: In SOA production setup use neutral error pages to displaying HTTP 404, 500 errors. 
project_key: SOA

The error page of the jmx-console spits out JSP source code, 
which is not desirable for the SOA production setup as exception 
messages could leak technical data to attackers.  Maybe a more 
general JBAPP problem. 

http://127.0.0.1:8080/jmx-console/DisplayOpResult

HTTP Status 500 -

type Exception report
message

description The server encountered an internal error () that prevented it from fulfilling this request.
exception
org.apache.jasper.JasperException: An exception occurred processing JSP page /displayOpResult.jsp at line 12

9: </head>
10: <body>
11: 
12: <jsp:useBean id='opResultInfo' type='org.jboss.jmx.adaptor.control.OpResultInfo' scope='request'/>
13: 
14: <table width="100%">
15:    <table>


Stacktrace:
	org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:518)
	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:411)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

root cause

javax.servlet.ServletException: java.lang.InstantiationException: bean opResultInfo not found within scope
	org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:855)
	org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:784)
	org.apache.jsp.displayOpResult_jsp._jspService(displayOpResult_jsp.java:145)
	org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:387)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

root cause

java.lang.InstantiationException: bean opResultInfo not found within scope
	org.apache.jsp.displayOpResult_jsp._jspService(displayOpResult_jsp.java:67)
	org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:387)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

note The full stack trace of the root cause is available in the JBossWeb/2.0.0.GA_CP05 logs.
Comment 1 nwallace 2009-01-12 08:48:21 UTC 
Link: Added: This issue depends JBPAPP-529
Comment 2 nwallace 2009-01-12 08:48:21 UTC 
Link: Added: This issue related SOA-875
Comment 3 nwallace 2009-01-12 08:50:24 UTC 
Link: Added: This issue is related to SOA-257
Comment 4 Julian Coleman 2009-01-13 14:00:07 UTC 
Moved as the fix for JBPAPP-529 will be in EAP 4.3.0 CP04.
Comment 5 Julian Coleman 2009-05-06 13:09:53 UTC 
Fixed with revision 3018 (4.3 branch) of:
  build-tools/builders/soa/p-consoles/build.xml
  build-tools/builders/soa/p-consoles/jmx-console/web.xml

Commit message:
  JIRA: SOA-1118
  Pull up revision 3017 from trunk.
  
  > JIRA: SOA-257
  > Don't overwrite the EAP JMX console web.xml.
  > We now see the fix for JBPAPP-529 too.
Comment 6 Dana Mison 2009-08-03 03:56:42 UTC 
added to 4.3.CP02 release notes as resolved:

JBPAPP-529 - The JMX Console no longer displays JSP source code as part of error message pages.
Comment 7 Jiri Pechanec 2009-08-28 16:24:05 UTC 
Verified in CR2