I'm working on a spring mvc web application lately using thymeleaf as view engine, hibernate as persistence unit and spring security. I opted for an XML-less approch (using javaConfig)
I want to provide some customized error pages and not only one global page for all the errors.
I'm new to hibernate and such, so my question is , what are the exceptions that i should handel, for example when the application can't reach the database or something like that, what kind of exceptions does hibernate throw, and for thymeleaf too, how can catch the exceptions it throws ?
One more thing, can i handle the 404 errors : for example, if the user enter an inexisting url, i want to redirect him to an error page, or to the home page, how should i proceed using java config ?
Without more specifics, the standard and generic response for providing custom error handling and error pages in Spring MVC is documented in the following section within the Spring Reference: 17.11 Handling exceptions. This section is sufficient to answer all the error page/handling questions you've mentioned.
For Hibernate, the it should throw an org.hibernate.HibernateException or subtype of it. Handling org.hibernate.HibernateException should be sufficient for UI purposes. For a list of exceptions, the org.hibernate.HibernateException API docs for your Hibernate version will have a list of all known subtypes. For example: http://docs.jboss.org/hibernate/orm/3.5/javadocs/org/hibernate/HibernateException.html
Related
Is form attibute binding vulnerable to A8:2017-Insecure Deserialization
I was testing Spring boot form submission for my internal project when I came across -
OWASP TOP 10 A8:2017-Insecure Deserialization
As per my current project,
I am binding the form parameter and getting a SearchPOJO at my controller
using #RequestBody
I have the following doubts:-
Is it safe to pass the parameters as Spring may create the POJO, serialize it and then send it over to network, hence I am vulnerable to A8:2017-Insecure Deserialization?
Does Spring boot perform the same process in any different way?
If there is a vulnerability, then will sending form data using #RequestParam/#PathVariable shall solve the issue?
As of now we are using Thymleaf in Frontend We are also planing to
switch to React Frontend in the coming months.
OWASP TOP 10 A8.2017
I would be highly obliged if someone can clear my doubts.
I'm putting together a web app using Tomcat + Spring, and I'd like to have custom 404 pages which contain dynamic content, not just a static html file. For example, if I were working on a blog site, I might want to show a list of the 5 most recent posts on the 404 page to direct the user to actual content.
Additionally, is there a way I can leverage the error information when generating the error page? For example, if the error involved an exception happening in my app, as opposed to a bad url, can I display the stack trace?
Are you creating the project from scratch? Are you able to use Spring-Boot? Spring Boot provides a lot of nice error handling functionality out of the box that can be easily modified.
Either way, if you just want to use standard error page mapping in the web.xml, or example:
<error-page>
<error-code>404</error-code>
<location>/error/404</location>
</error-page>
When your application returns a 404 status code, the request will be intercepted and forwarded internally to the endpoint /error/404 - which can just be any endpoint in your spring app, so can do any dynamic stuff that you would in a normal controller.
To do it programatically, without Spring Boot, you could create a Filter class that wraps all requests and just catches exceptions and checks for non 2XX response codes and forwards/handles appropriately - this is basically the solution that the Spring Boot guys implemented (see the ErrorPageFilter class).
To access info about the exception, that can be accessed from the request - see here for similar answer: https://stackoverflow.com/a/1034667/258813
I want to handle custom errors like 401, 403, 500 etc in Spring 3.2 application using Filters . I do not want to use the web.xml approach of defining the error pages.
I tried to follow the solution listed at How to handle exceptions thrown while rendering a view in Spring MVC?
But ErrorHandler.handle does not really exist.
How can I use filters to catch all the errors and redirect to different views ?
A good way to handle exceptions in Spring Controllers is using the #ExceptionHanldler #ControllerAdvice annotations. Here is the relevant part of the documentation and here is a tutorial on their usage.
Im currently reading Spring in Action 3rd edition, and have been experimenting with Spring MVC.
Everything works well, until i tried to 'port' my example webapp to a stateless webapp.
To determine whether a session object is created, i placed a debugging servlet filter on /* URL mapping, which just print out the req.getSession(false), and continue the chain.
I tried changing all of my controllers' scope to request out naiveness, but of course, session is still created on a page/controller that binds the model to the form.
I wonder how to achieve stateless Spring MVC ? Im out of luck for tutorials on this matter so far.
Make sure to have all the JSPs use
<%#page session="false" %>
else a session will be created as soon as a JSP is executed.
Accidental session creation is one of the most common sources of invalid bug reports in Spring Security (hence the FAQ you linked to in your comment above).
Spring Security's debugging filter can be useful if you're having issues with session creation. It will automatically log a message when a session is created, with a stacktrace inidicating where it happened. It also provides other useful information with more human-readable output that standard log entries, so is useful in a development environment. If you're using Spring Security's namespace support, you just need to add the element
<debug />
to your configuration.
From my experience of using spring MVC in conjunction with hibernate I know about lazy exception problem occured when addressing to lazy-fetched collection when rendering view.
It pure spring+hibernate world it fixes by introducing OpenSessionInViewInterceptor or OpenSessionInViewFilter thus enabling one hibernate session per request.
So the question is: should I care about this problem in grails or such one-session-per-request behaviour is enabled by default.
If this isn't grails defaults please provide some code to implement this behaviour.
Thanks.
Grails registers a customized subclass of OpenSessionInViewInterceptor (it adds WebFlow awareness). So anything done in the context of a web request will have an open session and lazy-loaded references and collections will resolve.