[
https://issues.apache.org/jira/browse/QPIDJMS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723470#comment-17723470
]
ASF subversion and git services commented on QPIDJMS-588:
---------------------------------------------------------
Commit 01e49dc5706976a87c02976a17ae8691d7666356 in qpid-jms's branch
refs/heads/1.x from Robbie Gemmell
[ https://gitbox.apache.org/repos/asf?p=qpid-jms.git;h=01e49dc5 ]
QPIDJMS-588: throw IAE on attempt to create connection factory with invalid
failover URI components containing User-Info
(cherry picked from commit b42d890e60308881eb654c4f115a786eaa7ba118)
> failover URI with invalid/unused user-info in component URI not rejected, can
> be logged
> ---------------------------------------------------------------------------------------
>
> Key: QPIDJMS-588
> URL: https://issues.apache.org/jira/browse/QPIDJMS-588
> Project: Qpid JMS
> Issue Type: Bug
> Components: qpid-jms-client
> Affects Versions: 2.2.0
> Environment: We are currently using Apache Qpid 2.2.0
> Reporter: Patrick Gell
> Priority: Minor
> Labels: password, security
>
> The clients documented connection URI config does not utilise user-info
> details from the URI, with it actively refusing its presence in the base
> non-failover connection URI, for example using
> "amqp://erroneous-user:erroneous-pass@localhost:5672" will result in an
> IllegalArgumentException when creating the connection factory.
> If however a failover URI is supplied with a component server connection URI
> nested within it erroneously containing user-info detail, e.g
> "failover:(amqp://erroneous-user:erroneous-pass@localhost:5672)", then they
> remain invalid/unused as expected but do not currently result in the
> IllegalArgumentException as in the non-failover case. Later code within the
> client does not expect this invalid/unused user-info detail to be present,
> and so can then log it.
> The erroneous presence of the invalid/unused user-info within a component of
> a failover URI should also cause an IllegalArgumentException when creating
> the connection factory.
>
> ================
> Original Description:
> If I have a failover URL with `user:password` configured than the password is
> logged in plain text.
> {+}BrokerURL{+}:
> failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672)
> +Log extract:+
> 2023-05-15 13:04:42.484 INFO [localhost:5672]]
> org.apache.qpid.jms.JmsConnection : Connection
> ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server:
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672
>
> Expected behaviour:
> The password is masked in the log or an IllegalArgumentException is thrown
> similar to the non failover URL:
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a
> ...
> Caused by: java.lang.IllegalArgumentException: The supplied URI cannot
> contain a User-Info section
> at
> org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
> at
> org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
> ... 69 common frames omitted
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
