[
https://issues.apache.org/jira/browse/ARTEMIS-5659?focusedWorklogId=984100&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-984100
]
ASF GitHub Bot logged work on ARTEMIS-5659:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 23/Sep/25 06:57
Start Date: 23/Sep/25 06:57
Worklog Time Spent: 10m
Work Description: brusdev commented on code in PR #5922:
URL: https://github.com/apache/activemq-artemis/pull/5922#discussion_r2371345618
##########
artemis-server/src/main/java/org/apache/activemq/artemis/core/deployers/impl/FileConfigurationParser.java:
##########
@@ -2015,7 +2015,20 @@ private DatabaseStorageConfiguration
createDatabaseStoreConfig(Element storeNode
conf.setLargeMessageTableName(getString(storeNode,
"large-message-table-name", conf.getLargeMessageTableName(), NO_CHECK));
conf.setPageStoreTableName(getString(storeNode, "page-store-table-name",
conf.getPageStoreTableName(), NO_CHECK));
conf.setNodeManagerStoreTableName(getString(storeNode,
"node-manager-store-table-name", conf.getNodeManagerStoreTableName(),
NO_CHECK));
- conf.setJdbcConnectionUrl(getString(storeNode, "jdbc-connection-url",
conf.getJdbcConnectionUrl(), NO_CHECK));
+ String jdbcConnectionUrl = getString(storeNode, "jdbc-connection-url",
conf.getJdbcConnectionUrl(), NO_CHECK);
+
+ /*
+ * Support for masking the JDBC connection URL can break uses-cases with
<mask-password>true</mask-password> in
+ * broker.xml and an existing, unmasked jdbc-connection-url because the
broker will try to unmask a value that is
+ * not masked resulting in an IllegalStateException. To deal with this
we ensure the jdbc-connection-url does not
+ * start with "jdbc:" before trying to unmask it. If it does start with
"jdbc:" then we know that it's already
+ * unmasked and we shouldn't attempt to unmask it.
+ */
+ if (jdbcConnectionUrl != null && !jdbcConnectionUrl.startsWith("jdbc:"))
{
+ jdbcConnectionUrl =
PasswordMaskingUtil.resolveMask(mainConfig.isMaskPassword(), jdbcConnectionUrl,
mainConfig.getPasswordCodec());
Review Comment:
The method `PasswordMaskingUtil.isEncMasked` is a more robust candidate to
check if the jdbc url is masked, i.e.
```
if (PasswordMaskingUtil.isEncMasked(jdbcConnectionUrl)) {
jdbcConnectionUrl =
PasswordMaskingUtil.resolveMask(jdbcConnectionUrl,
mainConfig.getPasswordCodec());
```
Issue Time Tracking
-------------------
Worklog Id: (was: 984100)
Time Spent: 50m (was: 40m)
> Support masking JDBC URL
> ------------------------
>
> Key: ARTEMIS-5659
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5659
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Reporter: Justin Bertram
> Assignee: Justin Bertram
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.43.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> In some environments the JDBC connection URL is considered "sensitive" so it
> would be useful to support masking this in {{broker.xml}} as is supported for
> the username & password.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
