Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    About avoiding information sent to client

    Hi all,

    v10.1p_2017-08-10/Pro Deployment
    Browser: powershell/3.0
    URI: ../sc/IDACall?isc_rc=1

    I would like to know if is is possible to avoid status -1 messages to clients? It is not a failing request, it is a HTTP 200, including a message with
    Ex:
    //isc_RPCResponseStart-->[{data:"Unable to locate xxx - check to make sure it's available in xxx",status:-1}]//isc_RPCResponseEnd

    I am trying to security harden the server.

    Cheers, Okan.





    #2
    The client needs to know about the failure, but if your server code is sending error messages with too much information, you can modify the error message in the DSResponse on the server before the response is sent to the client, via a DMI or more centrally (see QuickStart Guide for an overview of different places to inject custom logic).

    Comment


      #3
      Thanks for the reply, As you mentioned I want to send less information in the data part of the response especially in production. For instance in some responses the application paths could be seen. I am inspecting a software includes smartclient for security. I will read the documentation, meantime any help would be appreciated. I wish as a System Engineer, there were a conf file to modify this behavior :)
      Cheers, Okan.
      Last edited by bostanok; 20 Mar 2018, 01:09.

      Comment


        #4
        You definitely need to read the QuickStart Guide, especially the Server Framework chapter, as you will need that basic overview to be able to work with our software at all.

        Note that the error message you are worried about doesn't appear to be one that comes from our software, but rather from your own or from a third-party library you are using. So there may be a configuration file to modify those messages, but it wouldn't be a configuration file for our software.

        Comment


          #5
          I read the docs, on Smart GWT Server Framework.> Adding DMI Business Logic > Modify the DSResponse before it is returned to the browser

          "
          For example, adding calculated values derived from DataSource data, or trimming data that the user is not allowed to see. Typically, use dsResponse.getRecords() and iterate over the returned records, adding or modifying properties, then pass the modified List of records to dsResponse.setData().
          "

          In fact the situation is : there is a software which uses smart client framework. Unfortunately changing the software code is not possible. So we go with the option to modify the smartclient libraries. and look at the source codes, and as you suggested in first reply, modify data in DSResponse.java by

          Code:
          public void setData(Record... data) {
          ...
          if (getStatus() < 0) {
          // Hide Data
          SC.logWarn("Response status is < 0. The real response data is:" + data[0]);
          setAttribute("data", "Not Available");
          
          } else {
          // Normal processing here
          setAttribute("data", data);
          }

          Is it the correct place to hide/modify data? or a good idea ? Of course we will look at the impact on the software.
          Last edited by bostanok; 21 Mar 2018, 03:01.

          Comment


            #6
            Hi bostanok,

            "SC.logWarn()" looks like client side, so this is definitely not the correct place to change such stuff, as the server already sent the relevant data to the client.
            Without looking at the QSG, which you should do, I'd assume that a subclass of SQLDataSource might be your best starting point.

            Best regards
            Blama

            Comment


              #7
              Thanks for the answers, I could change the error message shown to the clients by overriding the handleRPCRequestError function.

              Comment

              Working...
              X