You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Kamal (JIRA)" <ji...@apache.org> on 2010/08/06 03:37:07 UTC
[jira] Created: (AMQ-2858) ConnectionInfo does not override
toString to stop logging actual Password in case of Warning.
ConnectionInfo does not override toString to stop logging actual Password in case of Warning.
----------------------------------------------------------------------------------------------
Key: AMQ-2858
URL: https://issues.apache.org/activemq/browse/AMQ-2858
Project: ActiveMQ
Issue Type: Bug
Components: Broker
Affects Versions: 5.3.0
Environment: Linux
Reporter: Kamal
Priority: Critical
In case of exception as shown below, the ConnectionInfo logged as warning which logs Password in plain Text. Should have encrypted or log as XXXX or YYYY ...
If ConnectionInfo override the BaseCommand's toString(Map<String, Object>overrideFields) method and set Password as XXXXX... this would be better handled.
WARN org.apache.activemq.broker.TransportConnection.Service [ActiveMQ Transport Stopper: /134.42.197.187:2512] - Failed to remove connection ConnectionInfo {commandId = 1, responseRequired = true, connectionId = 4a6df719-b8ed-4431-a97f-52b93078f021, clientId = 2061e6c0-f8e0-4882-860c-89c3fd7e36db, userName = YYYYX *password = X2342$*, brokerPath = null, brokerMasterConnector = false, manageable = false, clientMaster = true}
java.lang.SecurityException: User is not authenticated.
at org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
at org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:149)
at org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:425)
at org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:439)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:369)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:364)
at org.apache.activemq.advisory.AdvisoryBroker.removeConnection(AdvisoryBroker.java:223)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.MutableBrokerFilter.removeConnection(MutableBrokerFilter.java:117)
at org.apache.activemq.broker.TransportConnection.processRemoveConnection(TransportConnection.java:709)
at org.apache.activemq.broker.TransportConnection.doStop(TransportConnection.java:976)
at org.apache.activemq.broker.jmx.ManagedTransportConnection.doStop(ManagedTransportConnection.java:71)
at org.apache.activemq.broker.TransportConnection$3.run(TransportConnection.java:907)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (AMQ-2858) ConnectionInfo does not override
toString to stop logging actual Password in case of Warning.
Posted by "Kamal (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kamal updated AMQ-2858:
-----------------------
Description:
In case of exception as shown below, the ConnectionInfo logged as warning which logs Password in plain Text. Should have encrypted or log as XXXX or YYYY ...
If ConnectionInfo override the BaseCommand's toString(Map<String, Object>overrideFields) method and set Password as XXXXX... this would be better handled.
WARN org.apache.activemq.broker.TransportConnection.Service [ActiveMQ Transport Stopper: /134.42.197.187:2512] - Failed to remove connection ConnectionInfo {commandId = 1, responseRequired = true, connectionId = 4a6df719-b8ed-4431-a97f-52b93078f021, clientId = 2061e6c0-f8e0-4882-860c-89c3fd7e36db, userName = YYYYX *password = X2342$*, brokerPath = null, brokerMasterConnector = false, manageable = false, clientMaster = true}
java.lang.SecurityException: User is not authenticated.
at org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
at org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:149)
at org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:425)
at org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:439)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:369)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:364)
at org.apache.activemq.advisory.AdvisoryBroker.removeConnection(AdvisoryBroker.java:223)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.MutableBrokerFilter.removeConnection(MutableBrokerFilter.java:117)
at org.apache.activemq.broker.TransportConnection.processRemoveConnection(TransportConnection.java:709)
at org.apache.activemq.broker.TransportConnection.doStop(TransportConnection.java:976)
at org.apache.activemq.broker.jmx.ManagedTransportConnection.doStop(ManagedTransportConnection.java:71)
at org.apache.activemq.broker.TransportConnection$3.run(TransportConnection.java:907)
was:
In case of exception as shown below, the ConnectionInfo logged as warning which logs Password in plain Text. Should have encrypted or log as XXXX or YYYY ...
If ConnectionInfo override the BaseCommand's toString(Map<String, Object>overrideFields) method and set Password as XXXXX... this would be better handled.
WARN org.apache.activemq.broker.TransportConnection.Service [ActiveMQ Transport Stopper: /134.42.197.187:2512] - Failed to remove connection ConnectionInfo {commandId = 1, responseRequired = true, connectionId = 4a6df719-b8ed-4431-a97f-52b93078f021, clientId = 2061e6c0-f8e0-4882-860c-89c3fd7e36db, userName = YYYYX *password = X2342$*, brokerPath = null, brokerMasterConnector = false, manageable = false, clientMaster = true}
java.lang.SecurityException: User is not authenticated.
at org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
at org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:149)
at org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:425)
at org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:439)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:369)
at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:364)
at org.apache.activemq.advisory.AdvisoryBroker.removeConnection(AdvisoryBroker.java:223)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
at org.apache.activemq.broker.MutableBrokerFilter.removeConnection(MutableBrokerFilter.java:117)
at org.apache.activemq.broker.TransportConnection.processRemoveConnection(TransportConnection.java:709)
at org.apache.activemq.broker.TransportConnection.doStop(TransportConnection.java:976)
at org.apache.activemq.broker.jmx.ManagedTransportConnection.doStop(ManagedTransportConnection.java:71)
at org.apache.activemq.broker.TransportConnection$3.run(TransportConnection.java:907)
This is different than https://issues.apache.org/activemq/browse/AMQ-2499
The exception is logged at WARN level with password in plain text.
> ConnectionInfo does not override toString to stop logging actual Password in case of Warning.
> ----------------------------------------------------------------------------------------------
>
> Key: AMQ-2858
> URL: https://issues.apache.org/activemq/browse/AMQ-2858
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.3.0
> Environment: Linux
> Reporter: Kamal
> Priority: Critical
>
> In case of exception as shown below, the ConnectionInfo logged as warning which logs Password in plain Text. Should have encrypted or log as XXXX or YYYY ...
> If ConnectionInfo override the BaseCommand's toString(Map<String, Object>overrideFields) method and set Password as XXXXX... this would be better handled.
> WARN org.apache.activemq.broker.TransportConnection.Service [ActiveMQ Transport Stopper: /134.42.197.187:2512] - Failed to remove connection ConnectionInfo {commandId = 1, responseRequired = true, connectionId = 4a6df719-b8ed-4431-a97f-52b93078f021, clientId = 2061e6c0-f8e0-4882-860c-89c3fd7e36db, userName = YYYYX *password = X2342$*, brokerPath = null, brokerMasterConnector = false, manageable = false, clientMaster = true}
> java.lang.SecurityException: User is not authenticated.
> at org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
> at org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:149)
> at org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:425)
> at org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
> at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:439)
> at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:369)
> at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:364)
> at org.apache.activemq.advisory.AdvisoryBroker.removeConnection(AdvisoryBroker.java:223)
> at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
> at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
> at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
> at org.apache.activemq.broker.MutableBrokerFilter.removeConnection(MutableBrokerFilter.java:117)
> at org.apache.activemq.broker.TransportConnection.processRemoveConnection(TransportConnection.java:709)
> at org.apache.activemq.broker.TransportConnection.doStop(TransportConnection.java:976)
> at org.apache.activemq.broker.jmx.ManagedTransportConnection.doStop(ManagedTransportConnection.java:71)
> at org.apache.activemq.broker.TransportConnection$3.run(TransportConnection.java:907)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2858) ConnectionInfo does not override
toString to stop logging actual Password in case of Warning.
Posted by "Dejan Bosanac (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=62519#action_62519 ]
Dejan Bosanac commented on AMQ-2858:
------------------------------------
This sounds like a duplicate of https://issues.apache.org/activemq/browse/AMQ-2499 and should be fixed in later versions
> ConnectionInfo does not override toString to stop logging actual Password in case of Warning.
> ----------------------------------------------------------------------------------------------
>
> Key: AMQ-2858
> URL: https://issues.apache.org/activemq/browse/AMQ-2858
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.3.0
> Environment: Linux
> Reporter: Kamal
> Priority: Critical
>
> In case of exception as shown below, the ConnectionInfo logged as warning which logs Password in plain Text. Should have encrypted or log as XXXX or YYYY ...
> If ConnectionInfo override the BaseCommand's toString(Map<String, Object>overrideFields) method and set Password as XXXXX... this would be better handled.
> WARN org.apache.activemq.broker.TransportConnection.Service [ActiveMQ Transport Stopper: /134.42.197.187:2512] - Failed to remove connection ConnectionInfo {commandId = 1, responseRequired = true, connectionId = 4a6df719-b8ed-4431-a97f-52b93078f021, clientId = 2061e6c0-f8e0-4882-860c-89c3fd7e36db, userName = YYYYX *password = X2342$*, brokerPath = null, brokerMasterConnector = false, manageable = false, clientMaster = true}
> java.lang.SecurityException: User is not authenticated.
> at org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
> at org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:149)
> at org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:425)
> at org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
> at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:439)
> at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:369)
> at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:364)
> at org.apache.activemq.advisory.AdvisoryBroker.removeConnection(AdvisoryBroker.java:223)
> at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
> at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
> at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
> at org.apache.activemq.broker.MutableBrokerFilter.removeConnection(MutableBrokerFilter.java:117)
> at org.apache.activemq.broker.TransportConnection.processRemoveConnection(TransportConnection.java:709)
> at org.apache.activemq.broker.TransportConnection.doStop(TransportConnection.java:976)
> at org.apache.activemq.broker.jmx.ManagedTransportConnection.doStop(ManagedTransportConnection.java:71)
> at org.apache.activemq.broker.TransportConnection$3.run(TransportConnection.java:907)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.