[jira] [Work logged] (AMQ-9515) Audit log contains message body when sent via the web console

Thu, 11 Jul 2024 22:46:07 -0700 


     [ 
https://issues.apache.org/jira/browse/AMQ-9515?focusedWorklogId=925598&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-925598
 ]

ASF GitHub Bot logged work on AMQ-9515:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 12/Jul/24 05:45
            Start Date: 12/Jul/24 05:45
    Worklog Time Spent: 10m 
      Work Description: kenliao94 commented on PR #1251:
URL: https://github.com/apache/activemq/pull/1251#issuecomment-2224762134

   > > we will ship a default configuration for audit log ..
   > 
   > If by 'we' you mean your organization, good to go =)
   > 
   > If by 'we' you mean Apache, then I don't see us changing the default 
Apache distribution config for this.
   
   I can see your concern. By "we" I meant developers in this community :) When 
developers deploy ActiveMQ for their customers, their customers may want 
sensitive data to be redacted. For instance, in `AuditLogEntry.java` fields 
that are annotated by `@Sensitive` (such as password) are redacted in the 
audit.log. So in my opinion, it is probably better to have it default redacted 
(possibly other fields in the HTTP parameters as well) to avoid potential 
compliance issues. I will focus on documenting the instructions to configure 
the log filter nevertheless. 




Issue Time Tracking
-------------------

    Worklog Id:     (was: 925598)
    Time Spent: 50m  (was: 40m)

> Audit log contains message body when sent via the web console
> -------------------------------------------------------------
>
>                 Key: AMQ-9515
>                 URL: https://issues.apache.org/jira/browse/AMQ-9515
>             Project: ActiveMQ Classic
>          Issue Type: Bug
>          Components: Web Console
>            Reporter: Jean-Baptiste Onofré
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> When sending a message via the WebConsole, the body of the message is fully 
> displayed in the audit log. It's the only kind of messages behaving this way.
> We should not display message body in audit log, or at least we should have a 
> configuration to control this.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@activemq.apache.org
For additional commands, e-mail: issues-h...@activemq.apache.org
For further information, visit: https://activemq.apache.org/contact

Reply via email to