Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-7542

DispatcherPortlet should not throw a permanent UnavailableException when no handlermapping can be found

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 3.0.4
    • Fix Version/s: 3.0.5
    • Component/s: Web
    • Labels:
      None
    • Last commented by a User:
      false

      Description

      In DispatcherPortlet the following method can be found

      protected void noHandlerFound(PortletRequest request, PortletResponse response) throws Exception {
      ....
      throw new UnavailableException("No handler found for request");
      }

      It is invoked when no handler mapping can be found

      According to

      http://portals.apache.org/pluto/portlet-api/apidocs/javax/portlet/UnavailableException.html

      The 1 argument constructor indicates permanent unavailability

      JSR 286 describes how a permanent UnavailableException should be handled in section PLT.5.4.7 Exceptions During Request Handling

      If a permanent unavailability is indicated by the UnavailableException, the portlet container must remove the portlet from service immediately, call the portlet's destroy method, and release the portlet object.xxiv A portlet that throws a permanent
      15 UnavailableException must be considered unavailable until the portlet application containing the portlet is restarted.
      When temporary unavailability is indicated by the UnavailableException, then the portlet container may choose not to route any requests to the portlet during the time period of the temporary unavailability.

      Clearly destroying the portlet and making it permanently unavailable is not the desired behavior when no handler mapping can be found

      and because it's easy to trigger this condition, it actually has potential for being used for denial of service attacks on porlets developed using spring mvc

        Attachments

          Activity

            People

            • Assignee:
              juergen.hoeller Juergen Hoeller
              Reporter:
              jelmer Jelmer Kuperus
              Last updater:
              Trevor Marshall
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                7 years, 33 weeks ago