Skip to main content

Catch hold of that Exception and hide that stacktrace!!!

Exceptions happen!!! Rules are to be followed, too. Time and again, Java developers are told the golden rule to catch specific exceptions and not to catch the generic Exception.

The thought process behind that is, applications should not catch runtime exceptions. This is apt as runtime exceptions are an indicator of "bugs" in the code. However, blindly following rules, as always, can have unexpected consequences.

If you are developing services that are to be exposed over the wire, it is always a good idea to break this rule and "catch that Exception". Instead, follow the below principles:

  1. Service methods should implement a generic Exception block, along with catching declared exceptions, thrown from inner layers of the code. 
  2. If needed, the service can throw another exception back to the client. What's important is that we create a new Exception instance to be thrown, along with relevant message for the client.
  3. The service can log stacktrace for the Exception that is caught for debugging purpose, but do not wrap the original Exception inside the custom Exception to be thrown to the client.
This is imperative because if the services only catch declared exceptions, runtime exceptions get propagated to clients over the wire. This exposes the stacktrace of that exception to the end user who can get valuable information about the application.
  1. It reveals the flow of control within the application.
  2. If a runtime exception occurs from a third party library, this exposes the information about that library to the client.
  3. It can also reveal information about the application architecture.
  4. As mentioned before, runtime exceptions are indications of bugs. And bugs can be vulnerable.
Such an information leak can expose vulnerabilities in the application and make the application an easy target. 

So be safe and catch that Exception and eat up the stacktrace...

Comments

Post a Comment

Popular posts from this blog

Using JNDI managed JMS objects with Apache CAMEL

Apache CAMEL uses Spring JMS to work with JMS Queues or Topics. Evidently, we will need Spring to configure and use JMS capabilities provided by CAMEL. Details about how to implement JMS based routes using Apache CAMEL can be found in the CAMEL documentation. However, the documentation leaves a lot to be figured out. In a typical Java EE container, it is usually a good idea to abstract the underlying JMS resources by using JNDI. We can use the below configuration to achieve that. This configuration is tested in Websphere environment, but should work in any JEE container. Create a JMS queue connection factory in the JNDI registry. CAMEL configuration will be able to use only one queue connection factory, even if we have more than one. Create one or more JMS queue or topics, in the JNDI registry, as required. The above two steps are related to generic JNDI configuration for JMS resources. Now we come to the setup required for making these JMS resources work with CAMEL rout...
Post a Comment
Read more

Container ready spring boot application

Spring boot applications are now ubiquitous. The usual way to build one is to create an uber jar. At the same time, Docker allows us to build self reliant containers which are unaffected by the underlying server architecture or neighboring applications or their dependencies. Spring boot applications can also run in docker containers.  However running an uber jar inside a container fails to satisfy an important goal. That of high speed build and deployment. An uber jar is a heavy weight entity. That will make docker image heavy and slow to build. Here's a step by step solution, which leverages docker layer caching feature for faster builds with all spring boot goodness. We will use Maven to build a deployment structure for our docker image that allows fast deployments. Step 1: Create a spring boot application with only the SpringBootApplication and Configuration classes, such as one for REST configuration package scanning, one for JPA etc. Most often this wil...
Post a Comment
Read more