You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2015/04/16 12:34:58 UTC

[jira] [Created] (QPID-6496) PropertiesFileInitialContextFactory logs properties at INFO which may allow a password to be logged

Keith Wall created QPID-6496:
--------------------------------

             Summary: PropertiesFileInitialContextFactory logs properties at INFO which may allow a password to be logged
                 Key: QPID-6496
                 URL: https://issues.apache.org/jira/browse/QPID-6496
             Project: Qpid
          Issue Type: Bug
          Components: Java Client
    Affects Versions: 0.8, 0.32
            Reporter: Keith Wall
            Priority: Minor



PropertiesFileInitialContextFactory logs all properties at INFO whilst creating the InitialContext.  As the properties could include connection factory definition(s) and connection factory definitions allow password to be embedded within them, this could mean cleartext passwords are logged.

{noformat}
connectionfactory.qpidConnectionFactory = amqp://user:pass@clientid/?brokerlist='tcp://localhost:5672' 
{noformat}

This problem will only manifest if logger org.apache.qpid.jndi is enabled at INFO or lower.  The client offers no mechanism in built mechanism to enable this logging (it is delegated to the application).

It won't affect users specifying credentials using ConnectionFactory#createConnection(user,password).  Nor does it affect uses using authentication mechanisms that do not rely on an client side password i.e. SSL client auth, Kerberos.
  




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org