> No, there isn't any option to change the exception
> chain propagation. In fact, our trend
> has been to increase the amount of information that
> is chained so that the developer is
> not forced to have to always look in the server.log
> for the source of the problem and
> to increase the chance that the root cause is made
> known.
I agree. But by looking only from a security point of view, don't you think that sometimes it is justified for one administrator to want to configure Glassfish so it doesn't send server-side stack traces or causes to the client?
In the specific example I gave above, maybe it is not a good idea to propagate a exception from the JDBC driver all the way to the client; it could contain table, column, and constraint names. It also gives to an attacker the knowledge that the data is passing server-side validation logic and is reaching the database.
Like I said, I agree 100% on being friendly to the developer. After all, I'm a developer myself! But I still think that there are reasons that justify having some option to disable the propagation of exceptions chains to the client.
> However, as you point out, the behavior you're seeing
> is a bug. The client application
> shouldn't be receiving an arbitrary runtime
> exception. Could you please file an bugster issue
> for this and include all the stack traces. Thanks.
I will. Thank you for your help.
[Message sent by forum member 'lbschenkel' (lbschenkel)]
http://forums.java.net/jive/thread.jspa?messageID=222010