Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.owasp.esapi.errors
Class EnterpriseSecurityException

java.lang.Object
  extended by java.lang.Throwable
      extended by java.lang.Exception
          extended by org.owasp.esapi.errors.EnterpriseSecurityException
All Implemented Interfaces:
Serializable
Direct Known Subclasses:
AccessControlException, AuthenticationException, AvailabilityException, CertificateException, ConfigurationException, EncodingException, EncryptionException, ExecutorException, IntegrityException, ValidationException
public class EnterpriseSecurityException
extends Exception

EnterpriseSecurityException is the base class for all security related exceptions. You should pass in the root cause exception where possible. Constructors for classes extending EnterpriseSecurityException should be sure to call the appropriate super() method in order to ensure that logging and intrusion detection occur properly.

All EnterpriseSecurityExceptions have two messages, one for the user and one for the log file. This way, a message can be shown to the user that doesn't contain sensitive information or unnecessary implementation details. Meanwhile, all the critical information can be included in the exception so that it gets logged.

Note that the "logMessage" for ALL EnterpriseSecurityExceptions is logged in the log file. This feature should be used extensively throughout ESAPI implementations and the result is a fairly complete set of security log records. ALL EnterpriseSecurityExceptions are also sent to the IntrusionDetector for use in detecting anomalous patterns of application usage.

Author:
Jeff Williams ([email protected])
See Also:
Serialized Form

Field Summary
protected  Logger logger
          The logger.
protected  String logMessage
           
protected static long serialVersionUID
           
 
Constructor Summary
protected EnterpriseSecurityException()
          Instantiates a new security exception.
  EnterpriseSecurityException(String userMessage, String logMessage)
          Creates a new instance of EnterpriseSecurityException.
  EnterpriseSecurityException(String userMessage, String logMessage, Throwable cause)
          Creates a new instance of EnterpriseSecurityException that includes a root cause Throwable.
 
Method Summary
 String getLogMessage()
          Returns a message that is safe to display in logs, but may contain sensitive information and therefore probably should not be displayed to users.
 String getUserMessage()
          Returns message meant for display to users Note that if you are unsure of what set this message, it would probably be a good idea to encode this message before displaying it to the end user.
 
Methods inherited from class java.lang.Throwable
fillInStackTrace, getCause, getLocalizedMessage, getMessage, getStackTrace, initCause, printStackTrace, printStackTrace, printStackTrace, setStackTrace, toString
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

serialVersionUID

protected static final long serialVersionUID
See Also:
Constant Field Values

logger

protected final transient Logger logger
The logger.

logMessage

protected String logMessage
Constructor Detail

EnterpriseSecurityException

protected EnterpriseSecurityException()
Instantiates a new security exception.

EnterpriseSecurityException

public EnterpriseSecurityException(String userMessage,
                                   String logMessage)
Creates a new instance of EnterpriseSecurityException. This exception is automatically logged, so that simply by using this API, applications will generate an extensive security log. In addition, this exception is automatically registered with the IntrusionDetector, so that quotas can be checked. It should be noted that messages that are intended to be displayed to the user should be safe for display. In other words, don't pass in unsanitized data here. Also could hold true for the logging message depending on the context of the exception.

Parameters:
userMessage - the message displayed to the user
logMessage - the message logged

EnterpriseSecurityException

public EnterpriseSecurityException(String userMessage,
                                   String logMessage,
                                   Throwable cause)
Creates a new instance of EnterpriseSecurityException that includes a root cause Throwable. It should be noted that messages that are intended to be displayed to the user should be safe for display. In other words, don't pass in unsanitized data here. Also could hold true for the logging message depending on the context of the exception.

Parameters:
userMessage - the message displayed to the user
logMessage - the message logged
cause - the cause
Method Detail

getUserMessage

public String getUserMessage()
Returns message meant for display to users Note that if you are unsure of what set this message, it would probably be a good idea to encode this message before displaying it to the end user.

Returns:
a String containing a message that is safe to display to users

getLogMessage

public String getLogMessage()
Returns a message that is safe to display in logs, but may contain sensitive information and therefore probably should not be displayed to users.

Returns:
a String containing a message that is safe to display in logs, but probably not to users as it may contain sensitive information.
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2011 The Open Web Application Security Project (OWASP). All Rights Reserved.