You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Benoit Devos (JIRA)" <ji...@apache.org> on 2018/10/29 08:55:00 UTC
[jira] [Created] (QPIDJMS-423) Avoid disclosing sensitive info when
logging Remote Broker URI
Benoit Devos created QPIDJMS-423:
------------------------------------
Summary: Avoid disclosing sensitive info when logging Remote Broker URI
Key: QPIDJMS-423
URL: https://issues.apache.org/jira/browse/QPIDJMS-423
Project: Qpid JMS
Issue Type: Improvement
Components: qpid-jms-client
Affects Versions: 0.37.0
Reporter: Benoit Devos
The broker URI may contain sensitive info (like path to trust / key stores, and related *passwords*), and this info is being logged.
Sample:
{code:xml}
<bean id="jmsConnectionFactory" class="org.apache.qpid.jms.JmsConnectionFactory">
<constructor-arg name="remoteURI" value="amqps://some-location:5671?
transport.keyStoreLocation=/very/long/path/nnn-openssl.p12&
transport.keyStorePassword=*******&
transport.trustStoreLocation=/very/long/path/server.keystore&
transport.trustStorePassword=*******"/>
</bean>
{code}
The method JmsConnection.onConnectionEstablished(final URI remoteURI) logs this URI as is, therefore disclosing some passwords.
Only essential info just be logged, i.e. scheme, host and port.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org