You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/11/02 06:56:00 UTC
[jira] [Updated] (CXF-8359) Masking sensitive elements does not
work if the element has a property
[ https://issues.apache.org/jira/browse/CXF-8359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated CXF-8359:
-------------------------------------
Fix Version/s: 3.4.1
> Masking sensitive elements does not work if the element has a property
> ----------------------------------------------------------------------
>
> Key: CXF-8359
> URL: https://issues.apache.org/jira/browse/CXF-8359
> Project: CXF
> Issue Type: Improvement
> Components: logging
> Affects Versions: 3.4.0
> Reporter: Finn Herpich
> Assignee: Andrei Shakirin
> Priority: Major
> Fix For: 3.4.1
>
>
> Given the template which is used in the MaskSensitiveHelper class: [https://github.com/apache/cxf/blob/dc2f6af9ad09888cafb350f95935e9ec6abf8aee/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/MaskSensitiveHelper.java#L30]
> If, for example, we want to mask the wsse:Password element
> {code:java}
> logFeature.addSensitiveElementNames(new HashSet<>(Collections.singletonList("wsse:Password")));{code}
> but it contains a property
> {code:java}
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">some cleantext password</wsse:Password>{code}
> the regex would not pickup the element and thus not replace it and the password would still appear in the logs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)