You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2015/04/16 12:34:58 UTC
[jira] [Created] (QPID-6496) PropertiesFileInitialContextFactory
logs properties at INFO which may allow a password to be logged
Keith Wall created QPID-6496:
--------------------------------
Summary: PropertiesFileInitialContextFactory logs properties at INFO which may allow a password to be logged
Key: QPID-6496
URL: https://issues.apache.org/jira/browse/QPID-6496
Project: Qpid
Issue Type: Bug
Components: Java Client
Affects Versions: 0.8, 0.32
Reporter: Keith Wall
Priority: Minor
PropertiesFileInitialContextFactory logs all properties at INFO whilst creating the InitialContext. As the properties could include connection factory definition(s) and connection factory definitions allow password to be embedded within them, this could mean cleartext passwords are logged.
{noformat}
connectionfactory.qpidConnectionFactory = amqp://user:pass@clientid/?brokerlist='tcp://localhost:5672'
{noformat}
This problem will only manifest if logger org.apache.qpid.jndi is enabled at INFO or lower. The client offers no mechanism in built mechanism to enable this logging (it is delegated to the application).
It won't affect users specifying credentials using ConnectionFactory#createConnection(user,password). Nor does it affect uses using authentication mechanisms that do not rely on an client side password i.e. SSL client auth, Kerberos.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org