You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Andriy Redko (Jira)" <ji...@apache.org> on 2022/04/16 03:15:00 UTC
[jira] [Commented] (CXF-8691) Logging Feature - Sensitive element with arrays
[ https://issues.apache.org/jira/browse/CXF-8691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17523010#comment-17523010 ]
Andriy Redko commented on CXF-8691:
-----------------------------------
Thanks [~fwshngtn] , this is indeed an edge case, I believe the fact that `password` is JSON array, not JSON string (in this case) is the culprit.
> Logging Feature - Sensitive element with arrays
> -----------------------------------------------
>
> Key: CXF-8691
> URL: https://issues.apache.org/jira/browse/CXF-8691
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 3.4.0, 3.5.1
> Reporter: Daniel
> Assignee: Andriy Redko
> Priority: Minor
> Labels: Logging
>
> Hi,
> I am trying to use the LoggingFeature within cxf-rt and hide sensitive element names.
> The code I use looks like the following:
>
> {code:java}
> LoggingFeature loggingFeature = new LoggingFeature();
> loggingFeature.setLogBinary(false);
> loggingFeature.setPrettyLogging(true);
> loggingFeature.setLogMultipart(false);
> loggingFeature.addSensitiveElementNames(new HashSet<>(Arrays.asList("password")));
> {code}
> Payload:
> {code:java}
> private final String shortName;
> private final char[] password;
> {code}
>
> Output:
>
> {code:java}
> [services.MyWebservicePort.REQ_OUT] INFO - REQ_OUT
> Address: http://<some-url>
> HttpMethod: POST
> Content-Type: application/json
> ExchangeId: 560b73ae-e7e0-4687-9674-19ee72995a08
> Headers: {Accept=text/plain, Accept-Encoding=gzip;q=1.0, identity; q=0.5, *;q=0, Content-Type=application/json}
> Payload: {"shortName":"UserName","password":["G","e","h","e","i","m","1","2","3","!"]} {code}
> As you can see, my password is not hidden in the output of the payload. It is important to mention, that the field "password" in my code is declared as a char-array.
> However, if I add "shortName" to the sensetiveElementNames, everything works as expected. The shortName is hidden (XXX), due to it beeing declared as a String.
> I looked at the source code an tracked the problem down to a regex. "password" is not found, as the value is an array (MarkSensetiveHelper.java)
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)