[ https://issues.apache.org/jira/browse/QPIDJMS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robbie Gemmell resolved QPIDJMS-588. ------------------------------------ Resolution: Fixed > failover URI with invalid/unused user-info in component URI not rejected, can > be logged > --------------------------------------------------------------------------------------- > > Key: QPIDJMS-588 > URL: https://issues.apache.org/jira/browse/QPIDJMS-588 > Project: Qpid JMS > Issue Type: Bug > Components: qpid-jms-client > Affects Versions: 1.8.0, 2.2.0 > Environment: We are currently using Apache Qpid 2.2.0 > Reporter: Patrick Gell > Assignee: Robbie Gemmell > Priority: Minor > Labels: password, security > Fix For: 1.9.0, 2.3.0 > > > The clients documented connection URI config does not utilise user-info > details from the URI, with it actively refusing its presence in the base > non-failover connection URI, for example using > "amqp://erroneous-user:erroneous-pass@localhost:5672" will result in an > IllegalArgumentException when creating the connection factory. > If however a failover URI is supplied with a component server connection URI > nested within it erroneously containing user-info detail, e.g > "failover:(amqp://erroneous-user:erroneous-pass@localhost:5672)", then they > remain invalid/unused as expected but do not currently result in the > IllegalArgumentException as in the non-failover case. Later code within the > client does not expect this invalid/unused user-info detail to be present, > and so can then log it. > The erroneous presence of the invalid/unused user-info within a component of > a failover URI should also cause an IllegalArgumentException when creating > the connection factory. > > ================ > Original Description: > If I have a failover URL with `user:password` configured than the password is > logged in plain text. > {+}BrokerURL{+}: > failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672) > +Log extract:+ > 2023-05-15 13:04:42.484 INFO [localhost:5672]] > org.apache.qpid.jms.JmsConnection : Connection > ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server: > amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 > > Expected behaviour: > The password is masked in the log or an IllegalArgumentException is thrown > similar to the non failover URL: > amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a > ... > Caused by: java.lang.IllegalArgumentException: The supplied URI cannot > contain a User-Info section > at > org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406) > at > org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66) > ... 69 common frames omitted > -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org