You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Kamal (JIRA)" <ji...@apache.org> on 2010/10/13 02:14:40 UTC
[jira] Updated: (AMQ-2858) ConnectionInfo does not override
toString to stop logging actual Password in case of Warning.
[ https://issues.apache.org/activemq/browse/AMQ-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kamal updated AMQ-2858:
-----------------------
Description:
In case of exception as shown below, the ConnectionInfo logged as warning which logs Password in plain Text. Should have encrypted or log as XXXX or YYYY ...
If ConnectionInfo override the BaseCommand's toString(Map<String, Object>overrideFields) method and set Password as XXXXX... this would be better handled.
WARN org.apache.activemq.broker.TransportConnection.Service [ActiveMQ Transport Stopper: /134.42.197.187:2512] - Failed to remove connection ConnectionInfo {commandId = 1, responseRequired = true, connectionId = 4a6df719-b8ed-4431-a97f-52b93078f021, clientId = 2061e6c0-f8e0-4882-860c-89c3fd7e36db, userName = YYYYX *password = X2342$*, brokerPath = null, brokerMasterConnector = false, manageable = false, clientMaster = true}
java.lang.SecurityException: User is not authenticated.
at org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
at org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:149)
at org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:425)
at org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:439)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:369)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:364)
at org.apache.activemq.advisory.AdvisoryBroker.removeConnection(AdvisoryBroker.java:223)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.MutableBrokerFilter.removeConnection(MutableBrokerFilter.java:117)
at org.apache.activemq.broker.TransportConnection.processRemoveConnection(TransportConnection.java:709)
at org.apache.activemq.broker.TransportConnection.doStop(TransportConnection.java:976)
at org.apache.activemq.broker.jmx.ManagedTransportConnection.doStop(ManagedTransportConnection.java:71)
at org.apache.activemq.broker.TransportConnection$3.run(TransportConnection.java:907)
was:
In case of exception as shown below, the ConnectionInfo logged as warning which logs Password in plain Text. Should have encrypted or log as XXXX or YYYY ...
If ConnectionInfo override the BaseCommand's toString(Map<String, Object>overrideFields) method and set Password as XXXXX... this would be better handled.
WARN org.apache.activemq.broker.TransportConnection.Service [ActiveMQ Transport Stopper: /134.42.197.187:2512] - Failed to remove connection ConnectionInfo {commandId = 1, responseRequired = true, connectionId = 4a6df719-b8ed-4431-a97f-52b93078f021, clientId = 2061e6c0-f8e0-4882-860c-89c3fd7e36db, userName = YYYYX *password = X2342$*, brokerPath = null, brokerMasterConnector = false, manageable = false, clientMaster = true}
java.lang.SecurityException: User is not authenticated.
at org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
at org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:149)
at org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:425)
at org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:439)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:369)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:364)
at org.apache.activemq.advisory.AdvisoryBroker.removeConnection(AdvisoryBroker.java:223)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.MutableBrokerFilter.removeConnection(MutableBrokerFilter.java:117)
at org.apache.activemq.broker.TransportConnection.processRemoveConnection(TransportConnection.java:709)
at org.apache.activemq.broker.TransportConnection.doStop(TransportConnection.java:976)
at org.apache.activemq.broker.jmx.ManagedTransportConnection.doStop(ManagedTransportConnection.java:71)
at org.apache.activemq.broker.TransportConnection$3.run(TransportConnection.java:907)
This is different than https://issues.apache.org/activemq/browse/AMQ-2499
The exception is logged at WARN level with password in plain text.
> ConnectionInfo does not override toString to stop logging actual Password in case of Warning.
> ----------------------------------------------------------------------------------------------
>
> Key: AMQ-2858
> URL: https://issues.apache.org/activemq/browse/AMQ-2858
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.3.0
> Environment: Linux
> Reporter: Kamal
> Priority: Critical
>
> In case of exception as shown below, the ConnectionInfo logged as warning which logs Password in plain Text. Should have encrypted or log as XXXX or YYYY ...
> If ConnectionInfo override the BaseCommand's toString(Map<String, Object>overrideFields) method and set Password as XXXXX... this would be better handled.
> WARN org.apache.activemq.broker.TransportConnection.Service [ActiveMQ Transport Stopper: /134.42.197.187:2512] - Failed to remove connection ConnectionInfo {commandId = 1, responseRequired = true, connectionId = 4a6df719-b8ed-4431-a97f-52b93078f021, clientId = 2061e6c0-f8e0-4882-860c-89c3fd7e36db, userName = YYYYX *password = X2342$*, brokerPath = null, brokerMasterConnector = false, manageable = false, clientMaster = true}
> java.lang.SecurityException: User is not authenticated.
> at org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
> at org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:149)
> at org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:425)
> at org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
> at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:439)
> at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:369)
> at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:364)
> at org.apache.activemq.advisory.AdvisoryBroker.removeConnection(AdvisoryBroker.java:223)
> at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
> at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
> at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
> at org.apache.activemq.broker.MutableBrokerFilter.removeConnection(MutableBrokerFilter.java:117)
> at org.apache.activemq.broker.TransportConnection.processRemoveConnection(TransportConnection.java:709)
> at org.apache.activemq.broker.TransportConnection.doStop(TransportConnection.java:976)
> at org.apache.activemq.broker.jmx.ManagedTransportConnection.doStop(ManagedTransportConnection.java:71)
> at org.apache.activemq.broker.TransportConnection$3.run(TransportConnection.java:907)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.