简体中文(ZH-CN)English(EN)繁体中文(ZH-TW)日本語(JA)한국어(KO)Melayu(MS)Français(FR)Deutsch(DE)
Home
Article
Q&A
Course
Topic
Download
Game
Dictionary
Recent Updates

Home  >  Article  >  Avoid exposing backend details to clients in spring-boot

Avoid exposing backend details to clients in spring-boot

王林
王林forward
2024-02-22 12:28:06562browse

Recently, PHP editor Xigua brought you a Q&A article about Java, focusing on how to avoid exposing back-end details to the client in spring-boot. During the development process, how to handle sensitive information such as exception information and error prompts to avoid leaking sensitive data is one of the issues that developers need to focus on. This article will answer these questions for you and help you better protect the security of your applications.

Question content

When an incorrect/non-existent spring-boot endpoint is encountered. Code-level class details are exposed. This may be flagged as a security issue.

Example

ask

localhost:8500/api/1.0/service/../msc -> this is a bad formatted endpoint, which does not exist.

Response

{
    "timestamp": "2024-01-31t08:33:44.321+0000",
    "status": 400,
    "error": "bad request",
    "message": "failed to find lookuppath '/api/1.0/msc' within requesturi '/api/1.0/service/../msc'. this could be because the path has invalid encoded characters or isn't normalized.; nested exception is org.springframework.web.servlet.resource.resourceurlencodingfilter$lookuppathindexexception: failed to find lookuppath '/api/1.0/msc' within requesturi '/api/1.0/service/../msc'. this could be because the path has invalid encoded characters or isn't normalized.",
    "path": "/api/1.0/service/../msc"
}

Just by looking at the error message, we can tell that there is a spring-boot application running in the background, which could be a vulnerability since the code-level details are exposed in the message.

How can we send a generic message to the client instead of the entire exception details?

I also tried using @controlleradvice, but the exception was not caught in it. It looks like the problem occurs before it even gets to the controller itself. 

@ExceptionHandler(Exception.class)
public ResponseEntity handleException(Exception ex) {
log.error("Exception in flow", ex);
ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body("Internal Server Error");
}

Solution

You can use a combination of methods to handle the exception and not leak it, seehttps://www.php.cn/link/41fa3925a7ec42ce029c43d6676e4b2c to check for different types of handlers.

The above is the detailed content of Avoid exposing backend details to clients in spring-boot. For more information, please follow other related articles on the PHP Chinese website!

Java php mvc spring https
Statement:
This article is reproduced at:stackoverflow.com. If there is any infringement, please contact admin@php.cn delete
Previous article:When to use abstraction and when to use interfaces?Next article:When to use abstraction and when to use interfaces?

Related articles

See more