You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2021/09/14 11:37:00 UTC
[jira] [Commented] (CXF-8563) Authorization header logged may
contain sensitive data
[ https://issues.apache.org/jira/browse/CXF-8563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414889#comment-17414889 ]
Colm O hEigeartaigh commented on CXF-8563:
------------------------------------------
CXF 3.2.x is not supported any longer, so we won't be backmerging the fix to here.
> Authorization header logged may contain sensitive data
> ------------------------------------------------------
>
> Key: CXF-8563
> URL: https://issues.apache.org/jira/browse/CXF-8563
> Project: CXF
> Issue Type: Bug
> Components: Services
> Affects Versions: 3.2.14
> Reporter: Marcin Noworzyn
> Priority: Major
>
> Logging the category {{org.apache.cxf.services}} on INFO level may leak personal user passwords (similar to CXF-7070 - HTTP headers logged in debug ). When users are authenticating to a SOAP web service, the full request is logged, including the 'Authorization' header.
> Example: *Authorization=[Basic Y29kZW5vdGZvdW5kOnA0NTV3MHJk]*
> {code:java}
> Address: http://localhost:9090/codenotfound/ws/ticketagent
> Encoding: UTF-8
> Http-Method: POST
> Content-Type: text/xml; charset=UTF-8
> Headers: {Accept=[*/*], Authorization=[Basic Y29kZW5vdGZvdW5kOnA0NTV3MHJk], cache-control=[no-cache], connection=[keep-alive], Content-Length=[181], content-type=[text/xml; charset=UTF-8], host=[localhost:9090], pragma=[no-cache], SOAPAction=[""], user-agent=[Apache-CXF/3.2.14]}
> Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:listFlightsRequest xmlns:ns2="http://example.org/TicketAgent.xsd"/></soap:Body></soap:Envelope>
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)