You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Daniel (Jira)" <ji...@apache.org> on 2022/04/12 13:57:00 UTC
[jira] [Created] (CXF-8691) Logging Feature - Sensitive element with arrays
Daniel created CXF-8691:
---------------------------
Summary: Logging Feature - Sensitive element with arrays
Key: CXF-8691
URL: https://issues.apache.org/jira/browse/CXF-8691
Project: CXF
Issue Type: Bug
Components: JAX-RS
Environment: Tested with 3.4.0 as well as 3.5.1
Reporter: Daniel
Hi,
I am trying to use the LoggingFeature within cxf-rt and hide sensitive element names.
The code I use looks like the following:
{code:java}
LoggingFeature loggingFeature = new LoggingFeature();
loggingFeature.setLogBinary(false);
loggingFeature.setPrettyLogging(true);
loggingFeature.setLogMultipart(false);
loggingFeature.addSensitiveElementNames(new HashSet<>(Arrays.asList("password")));
{code}
Payload:
{code:java}
private final String shortName;
private final char[] password;
{code}
Output:
{code:java}
[services.ObaWebservicePort.REQ_OUT] INFO - REQ_OUT
Address: http://<some-url>
HttpMethod: POST
Content-Type: application/json
ExchangeId: 560b73ae-e7e0-4687-9674-19ee72995a08
Headers: {Accept=text/plain, Accept-Encoding=gzip;q=1.0, identity; q=0.5, *;q=0, Content-Type=application/json}
Payload: {"shortName":"UserName","password":["G","e","h","e","i","m","1","2","3","!"]} {code}
As you can see, my password is not hidden in the output of the payload. It is important to mention, that the field "password" in my code is declared as a char-array.
However, if I add "shortName" to the sensetiveElementNames, everything works as expected. The shortName is hidden (XXX), due to it beeing declared as a String.
I looked at the source code an tracked the problem down to a regex. "password" is not found, as the value is an array (MarkSensetiveHelper.java)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)