[jira] [Commented] (QPIDJMS-588) when invalid failover URI supplied, password can be present in log file

Mon, 15 May 2023 21:52:30 -0700 


    [ 
https://issues.apache.org/jira/browse/QPIDJMS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17722984#comment-17722984
 ] 

Patrick Gell commented on QPIDJMS-588:
--------------------------------------

Thanks for the fast reply.

What should be the correct handling of such URL? Throw an 
IllegalArgumentException?

I could have a look into it and provide a pull request for that.

 

Best regards,

Patrick

> when invalid failover URI supplied, password can be present in log file
> -----------------------------------------------------------------------
>
>                 Key: QPIDJMS-588
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-588
>             Project: Qpid JMS
>          Issue Type: Bug
>          Components: qpid-jms-client
>    Affects Versions: 2.2.0
>         Environment: We are currently using Apache Qpid 2.2.0
>            Reporter: Patrick Gell
>            Priority: Minor
>              Labels: password, security
>
> If I have a failover URL with `user:password` configured than the password is 
> logged in plain text.
> {+}BrokerURL{+}: 
> failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672)
> +Log extract:+
> 2023-05-15 13:04:42.484  INFO [localhost:5672]] 
> org.apache.qpid.jms.JmsConnection        : Connection 
> ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server: 
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672
>  
> Expected behaviour:
> The password is masked in the log or an IllegalArgumentException is thrown 
> similar to the non failover URL:
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a 
> ...
> Caused by: java.lang.IllegalArgumentException: The supplied URI cannot 
> contain a User-Info section
>     at 
> org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
>     at 
> org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
>     ... 69 common frames omitted
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to