You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2015/04/23 17:52:39 UTC
[jira] [Resolved] (QPID-6496) PropertiesFileInitialContextFactory
logs properties at INFO which may allow a password to be logged in clear
[ https://issues.apache.org/jira/browse/QPID-6496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keith Wall resolved QPID-6496.
------------------------------
Resolution: Fixed
> PropertiesFileInitialContextFactory logs properties at INFO which may allow a password to be logged in clear
> ------------------------------------------------------------------------------------------------------------
>
> Key: QPID-6496
> URL: https://issues.apache.org/jira/browse/QPID-6496
> Project: Qpid
> Issue Type: Bug
> Components: Java Client
> Affects Versions: 0.8, 0.32
> Reporter: Keith Wall
> Priority: Minor
> Fix For: 6.0 [Java]
>
> Attachments: 0001-QPID-6496-Java-Client-removed-logging-of-initial-con.patch
>
>
> PropertiesFileInitialContextFactory logs all properties at INFO whilst creating the InitialContext. As the properties could include connection factory definition(s) and connection factory definitions allow password to be embedded within them, this could mean cleartext passwords are logged.
> {noformat}
> connectionfactory.qpidConnectionFactory = amqp://user:pass@clientid/?brokerlist='tcp://localhost:5672'
> {noformat}
> This problem will only manifest if logger org.apache.qpid.jndi is enabled at INFO or lower. The client offers no mechanism in built mechanism to enable this logging (it is delegated to the application).
> It won't affect users specifying credentials using ConnectionFactory#createConnection(user,password). Nor does it affect uses using authentication mechanisms that do not rely on an client side password i.e. SSL client auth, Kerberos.
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org