[
https://issues.apache.org/jira/browse/QPIDJMS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robbie Gemmell updated QPIDJMS-588:
-----------------------------------
Description:
The clients documented connection URI config does not utilise user-info details
from the URI, with it actively refusing its presence in the base non-failover
connection URI, for example using
"amqp://erroneous-user:erroneous-pass@localhost:5672" will result in an
IllegalArgumentException when creating the connection factory.
If however a failover URI is supplied with a component server connection URI
nested within it erroneously containing user-info detail, e.g
"failover:(amqp://erroneous-user:erroneous-pass@localhost:5672)", then they
remain invalid/unused as expected but do not currently result in the
IllegalArgumentException as in the non-failover case. Later code within the
client does not expect this invalid/unused user-info detail to be present, and
so can then log it.
The erroneous presence of the invalid/unused user-info within a component of a
failover URI should also cause an IllegalArgumentException when creating the
connection factory.
================
Original Description:
If I have a failover URL with `user:password` configured than the password is
logged in plain text.
{+}BrokerURL{+}:
failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672)
+Log extract:+
2023-05-15 13:04:42.484 INFO [localhost:5672]]
org.apache.qpid.jms.JmsConnection : Connection
ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server:
amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672
Expected behaviour:
The password is masked in the log or an IllegalArgumentException is thrown
similar to the non failover URL:
amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a
...
Caused by: java.lang.IllegalArgumentException: The supplied URI cannot contain
a User-Info section
at
org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
at
org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
... 69 common frames omitted
was:
If I have a failover URL with `user:password` configured than the password is
logged in plain text.
{+}BrokerURL{+}:
failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672)
+Log extract:+
2023-05-15 13:04:42.484 INFO [localhost:5672]]
org.apache.qpid.jms.JmsConnection : Connection
ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server:
amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672
Expected behaviour:
The password is masked in the log or an IllegalArgumentException is thrown
similar to the non failover URL:
amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a
...
Caused by: java.lang.IllegalArgumentException: The supplied URI cannot contain
a User-Info section
at
org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
at
org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
... 69 common frames omitted
Summary: failover URI with invalid/unused user-info in component URI
not rejected, can be logged (was: when invalid failover URI supplied, password
can be present in log file)
> failover URI with invalid/unused user-info in component URI not rejected, can
> be logged
> ---------------------------------------------------------------------------------------
>
> Key: QPIDJMS-588
> URL: https://issues.apache.org/jira/browse/QPIDJMS-588
> Project: Qpid JMS
> Issue Type: Bug
> Components: qpid-jms-client
> Affects Versions: 2.2.0
> Environment: We are currently using Apache Qpid 2.2.0
> Reporter: Patrick Gell
> Priority: Minor
> Labels: password, security
>
> The clients documented connection URI config does not utilise user-info
> details from the URI, with it actively refusing its presence in the base
> non-failover connection URI, for example using
> "amqp://erroneous-user:erroneous-pass@localhost:5672" will result in an
> IllegalArgumentException when creating the connection factory.
> If however a failover URI is supplied with a component server connection URI
> nested within it erroneously containing user-info detail, e.g
> "failover:(amqp://erroneous-user:erroneous-pass@localhost:5672)", then they
> remain invalid/unused as expected but do not currently result in the
> IllegalArgumentException as in the non-failover case. Later code within the
> client does not expect this invalid/unused user-info detail to be present,
> and so can then log it.
> The erroneous presence of the invalid/unused user-info within a component of
> a failover URI should also cause an IllegalArgumentException when creating
> the connection factory.
>
> ================
> Original Description:
> If I have a failover URL with `user:password` configured than the password is
> logged in plain text.
> {+}BrokerURL{+}:
> failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672)
> +Log extract:+
> 2023-05-15 13:04:42.484 INFO [localhost:5672]]
> org.apache.qpid.jms.JmsConnection : Connection
> ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server:
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672
>
> Expected behaviour:
> The password is masked in the log or an IllegalArgumentException is thrown
> similar to the non failover URL:
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a
> ...
> Caused by: java.lang.IllegalArgumentException: The supplied URI cannot
> contain a User-Info section
> at
> org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
> at
> org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
> ... 69 common frames omitted
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
