Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-683

Too much information in response in case of error


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.0.0
    • Fix Version/s: 4.5.0
    • Component/s: None
    • Labels:
    • Sprint:
      OpenIG Sprint 74, OpenIG Sprint 75


      OpenIG gives too much information to the client that issued the original request. In case of an error, OpenIG has to be succinct about the error and tries not to publish any "confidential" information. This kind of information should only be published onto the loggers for troubleshooting by the administrator.

      As an example, with OpenIG acting as a simple proxy, here is the response we get :

      $ http http://localhost:9876/time
      HTTP/1.1 502 Bad Gateway
      Content-Length: 56
      Date: Tue, 20 Oct 2015 12:06:34 GMT
      Server: Jetty(9.2.11.v20150529)
      Failed to obtain response for http://localhost:8080/time

      ==> OpenIG should not publish the target host into the response. The response's content might be something like "Bad Gateway" but in the log files we should have a trace of that event with much as possible.

      Another example is when you use a Groovy script : in the response, we get the compilation error message : we should get a 500 error page with the following message : "An unexpected error happend. Please contact your system administrator." All the compilation error messages have to be in the log files.

      To ease the troubleshooting, we might provide a request Id (the context id ? ) in the response as well in the log files.


          Issue Links



              • Assignee:
                violette Violette Roche Montane
                laurent.vaills Laurent Vaills
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created: