[jira] [Commented] (QPIDJMS-588) when invalid failover URI supplied, password can be present in log file

Tue, 16 May 2023 09:51:07 -0700 


    [ 
https://issues.apache.org/jira/browse/QPIDJMS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723197#comment-17723197
 ] 

Robbie Gemmell commented on QPIDJMS-588:
----------------------------------------

It should throw an IllegalArgumentException as it already does in the 
regular/non-failover URI case, since the userinfo presence is not considered 
valid and will not be used.

I already have a change mostly done for this, just still to give it a check 
over and tidyup before pushing.

> when invalid failover URI supplied, password can be present in log file
> -----------------------------------------------------------------------
>
>                 Key: QPIDJMS-588
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-588
>             Project: Qpid JMS
>          Issue Type: Bug
>          Components: qpid-jms-client
>    Affects Versions: 2.2.0
>         Environment: We are currently using Apache Qpid 2.2.0
>            Reporter: Patrick Gell
>            Priority: Minor
>              Labels: password, security
>
> If I have a failover URL with `user:password` configured than the password is 
> logged in plain text.
> {+}BrokerURL{+}: 
> failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672)
> +Log extract:+
> 2023-05-15 13:04:42.484  INFO [localhost:5672]] 
> org.apache.qpid.jms.JmsConnection        : Connection 
> ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server: 
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672
>  
> Expected behaviour:
> The password is masked in the log or an IllegalArgumentException is thrown 
> similar to the non failover URL:
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a 
> ...
> Caused by: java.lang.IllegalArgumentException: The supplied URI cannot 
> contain a User-Info section
>     at 
> org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
>     at 
> org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
>     ... 69 common frames omitted
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to