You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Timothy Bish (JIRA)" <ji...@apache.org> on 2018/10/29 14:35:00 UTC
[jira] [Updated] (QPIDJMS-423) Log only connection URI in the
connection initialized
[ https://issues.apache.org/jira/browse/QPIDJMS-423?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Timothy Bish updated QPIDJMS-423:
---------------------------------
Summary: Log only connection URI in the connection initialized (was: Avoid disclosing sensitive info when logging Remote Broker URI)
> Log only connection URI in the connection initialized
> ------------------------------------------------------
>
> Key: QPIDJMS-423
> URL: https://issues.apache.org/jira/browse/QPIDJMS-423
> Project: Qpid JMS
> Issue Type: Improvement
> Components: qpid-jms-client
> Affects Versions: 0.37.0
> Reporter: Benoit Devos
> Priority: Minor
>
> The broker URI may contain sensitive info (like path to trust / key stores, and related *passwords*), and this info is being logged.
> Sample:
> {code:xml}
> <bean id="jmsConnectionFactory" class="org.apache.qpid.jms.JmsConnectionFactory">
> <constructor-arg name="remoteURI" value="amqps://some-location:5671?
> transport.keyStoreLocation=/very/long/path/nnn-openssl.p12&
> transport.keyStorePassword=*******&
> transport.trustStoreLocation=/very/long/path/server.keystore&
> transport.trustStorePassword=*******"/>
> </bean>
> {code}
> The method JmsConnection.onConnectionEstablished(final URI remoteURI) logs this URI as is, therefore disclosing some passwords.
> Only essential info just be logged, i.e. scheme, host and port.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org