You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Robbie Gemmell (Jira)" <ji...@apache.org> on 2023/05/15 13:54:00 UTC

[jira] [Commented] (QPIDJMS-588) when invalid failover URI supplied, password can be present in log file

    [ https://issues.apache.org/jira/browse/QPIDJMS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17722786#comment-17722786 ] 

Robbie Gemmell commented on QPIDJMS-588:
----------------------------------------

This presumably happens because the code in the ConnectionFactory which normally rejects the invalid presence of userinfo detail in the base URI, doesnt apply to failover URIs which are instead handled later by the failover provider to extract individual server details, which presumably isnt enforcing the same check for invalid presence of userinfo detail in the base URI. The later created Connection then doesnt anticipate userinfo being present in its base URI since it is not considered valid to be there in the client URI, and it then logs the base URI (first stripping the query, that might have had user detail props contained). For now: remove the invalid userinfo detail from your URI, it isnt being used from there anyway.

> when invalid failover URI supplied, password can be present in log file
> -----------------------------------------------------------------------
>
>                 Key: QPIDJMS-588
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-588
>             Project: Qpid JMS
>          Issue Type: Bug
>          Components: qpid-jms-client
>    Affects Versions: 2.2.0
>         Environment: We are currently using Apache Qpid 2.2.0
>            Reporter: Patrick Gell
>            Priority: Minor
>              Labels: password, security
>
> If I have a failover URL with `user:password` configured than the password is logged in plain text.
> {+}BrokerURL{+}: failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672)
> +Log extract:+
> 2023-05-15 13:04:42.484  INFO [localhost:5672]] org.apache.qpid.jms.JmsConnection        : Connection ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server: amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672
>  
> Expected behaviour:
> The password is masked in the log or an IllegalArgumentException is thrown similar to the non failover URL:
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a 
> ...
> Caused by: java.lang.IllegalArgumentException: The supplied URI cannot contain a User-Info section
>     at org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
>     at org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
>     ... 69 common frames omitted
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org