You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@openjpa.apache.org by "Michael Dick (JIRA)" <ji...@apache.org> on 2010/06/03 16:28:01 UTC

[jira] Updated: (OPENJPA-1678) SQL Parameter values may contain sensitive information and should not be logged by default.

     [ https://issues.apache.org/jira/browse/OPENJPA-1678?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Dick updated OPENJPA-1678:
----------------------------------

    Attachment: OPENJPA-1678-openjpa.CFProps.1.2.x.patch.txt
                OPENJPA-1678-openjpa.Log.1.2.x.patch.txt

I've tried it two ways. One uses openjpa.Log to control whether parameters are printed, the other uses openjpa.ConnectionFactoryProperties. 

The openjpa.Log approach is just a proof of concept. The changes will have to ripple through to any of our LogFactory classes -  I just skipped that and cast to LogFactoryImpl. 

The openjpa.CFProperties approach is a bit leaner and less intrusive (I'm leaning this way at the moment).

> SQL Parameter values may contain sensitive information and should not be logged by default.
> -------------------------------------------------------------------------------------------
>
>                 Key: OPENJPA-1678
>                 URL: https://issues.apache.org/jira/browse/OPENJPA-1678
>             Project: OpenJPA
>          Issue Type: Bug
>    Affects Versions: 1.0.3, 1.1.0, 1.2.2, 2.0.0, 2.1.0
>            Reporter: Michael Dick
>            Assignee: Michael Dick
>             Fix For: 1.0.4, 1.2.3, 2.0.1, 2.1.0
>
>         Attachments: OPENJPA-1678-openjpa.CFProps.1.2.x.patch.txt, OPENJPA-1678-openjpa.Log.1.2.x.patch.txt
>
>
> The values for parameters used in our SQL statements may contain sensitive information (e.g. social security numbers). By default these values are printed in the exception message and in SQL trace. Having the values printed can be a great help when debugging an application - but presents a risk when used in production. 
> To resolve the issue I propose to disable printing the parameter values by default. The parameter values will still be tracked internally - but will not be displayed in exception messages or trace unless the following property is set :
> <property name="openjpa.ConnectionFactoryProperties" value="printParameters=true"/>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.