000025192 - Exception handling for exceptions displayed to end-users

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000025192
Applies ToFederated Identity Management Module 3.1

fim.global.error.url


Error URL
IssueException handling
CauseWhen an exception is thrown by an RSA FIM server it may display this as a Java stack trace on the browser of the user.  This exception can be handled and passed to any other service to either display well formatted or to perform some other custom processing.
Resolution

This solution does not resolve or remove any exception which may occur on your FIM server; rather this is a mechanism to be able to manage exceptions when they occur and to avoid error messages being displayed to end-users.  The solution has an expanded usage where it is possible to enhance the use of FIM to be able to cater for specific functionality.  As an example it is possible that an IdP may send a SAMLResponse with a logon failure as the message; the supplied RSA FIM product will generate an exception for this condition and display it to the end user, for example:

 Exception encountered at the top-level of the profile bean: User cancelled logon

Error stack trace:

com.rsa.fim.profile.sso.SSOProfileException: Exception encountered at the top-level of the profile bean: User cancelled logon
 at com.rsa.fim.profile.sso.SSOHelper.handleThrowable(SSOHelper.java:614)
 at com.rsa.fim.profile.sso.SSOProfileBean.processResponse(SSOProfileBean.java:1790)
 at com.rsa.fim.profile.sso.SSOProfile_5wyj3w_EOImpl.processResponse(SSOProfile_5wyj3w_EOImpl.java:100)
 at com.rsa.fim.servlet.sso.AssertionConsumerService.doGet(AssertionConsumerService.java:64)
 at com.rsa.fim.servlet.sso.AssertionConsumerService.doPost(AssertionConsumerService.java:38)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)

In this instance a handler might be written to monitor specifically for this type of exception but then deal with the following events without errors (for example just redirecting the user to their public web page or a web page saying "since you cancelled the logon process you are not admitted)

 There are three different locations where an Error URL can be set:

  •      In a local entity configuration page, this URL will be used in situations where the local entity in the communication has been evaluated and so the specified URL might be unique to the entity
  •      On an association page you may set an override to use a more specific URL unique to a particular association.  In this way a different handler might be configured to cope with different partner entity relationships
  •      A global setting fim.global.error.url in rsa-fim-config/properties/fim.properties which will be used when the entity name has not been evaluated

In all situations the URL cannot contain any custom CGI parameters and must only be a basic HTTP reference.

As an example you might set the following in fim.properties:

      fim.global.error.url=http://fimserver.csau.ap.rsa.net:7001/errorhandler/displayerror.jsp

Then as a further example a deployed page displayerror.jsp might have the following, simple content:  

<%@ page language="java" %>

<!--

====================================================

This is a sample error redirect page that shows the end user if

any of the exceptions are thrown from the system. A parameter " ERROR_MESSAGE "

is being passed from the FIM showing the detail error message.

====================================================

-->

<script language="javascript" type="text/javascript">

<!--

function writeError() {

   errorWindow = window.open("error", "error", "width=350, height=200");

   errorWindow.document.write('<%=request.getParameter("ERROR_MESSAGE")%>');

   errorWindow.document.bgColor="lightblue";

   errorWindow.document.close();

}

// -->

</script>

<html>

<head><title>Error page</title></head>

<body>

<center>

<h1>Internal Server Error</h1>The server encountered an internal error.Please try again.<p>

<form name="showdetail" action="">

<input type="button" name="error" id="error" value="Show Error" onclick="writeError();">

</form>

</center>

</body>

</html>


 Note:  The use of both fim.global.error.url and the ability to set the Error URL at an association level have both been enhancements to FIM 3.1 and may require you to upgrade you system to FIM .3.1.2 to be able to take advantage of newer features.

See also:

     How to limit error information displayed to end users     How to limit error information displayed to end users

More information is available the appropriate documentation which is also available in SecurCare Online:

RSA Federated Identity Manager 3.1 Installation & Configuration Guide

https://knowledge.rsasecurity.com/docs/rsa_fim/fim31/install.pdf

 

RSA Federated Identity Manager 3.1 Planning Guide

https://knowledge.rsasecurity.com/docs/rsa_fim/fim31/plan.pdf

 

RSA Federated Identity Manager 3.1 Developer's Documentation

https://knowledge.rsasecurity.com/docs/rsa_fim/fim31/devguide.zip

 

RSA Federated Identity Manager 3.1.2 Installation and Configuration Guide

https://knowledge.rsasecurity.com/docs/rsa_fim/fim312/Install_and_Config_Guide.pdf

 
Legacy Article IDa38542

Attachments

    Outcomes