[jira] [Created] (QPIDJMS-423) Avoid disclosing sensitive info when logging Remote Broker URI

Benoit Devos (JIRA) Mon, 29 Oct 2018 01:55:17 -0700

Benoit Devos created QPIDJMS-423:
------------------------------------

             Summary: Avoid disclosing sensitive info when logging Remote 
Broker URI
                 Key: QPIDJMS-423
                 URL: https://issues.apache.org/jira/browse/QPIDJMS-423
             Project: Qpid JMS
          Issue Type: Improvement
          Components: qpid-jms-client
    Affects Versions: 0.37.0
            Reporter: Benoit Devos



The broker URI may contain sensitive info (like path to trust / key stores, and 
related *passwords*), and this info is being logged.

Sample:
{code:xml}
<bean id="jmsConnectionFactory" 
class="org.apache.qpid.jms.JmsConnectionFactory">
    <constructor-arg name="remoteURI" value="amqps://some-location:5671?
        transport.keyStoreLocation=/very/long/path/nnn-openssl.p12&amp;
        transport.keyStorePassword=*******&amp;
        transport.trustStoreLocation=/very/long/path/server.keystore&amp;
        transport.trustStorePassword=*******"/>
</bean>
{code}

The method JmsConnection.onConnectionEstablished(final URI remoteURI) logs this 
URI as is, therefore disclosing some passwords.

Only essential info just be logged, i.e. scheme, host and port.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (QPIDJMS-423) Avoid disclosing sensitive info when logging Remote Broker URI

Reply via email to