[
https://issues.apache.org/jira/browse/HTTPCLIENT-1811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15848608#comment-15848608
]
Julian Sedding commented on HTTPCLIENT-1811:
--------------------------------------------
I'm against swallowing the header value, as that can be highly misleading when
debugging an issue. If we keep the log but only obfuscate the value (and
indicate that it is obfuscated!), that would be fine for me. Keeping the
obfuscated value stable, so it can be grepped etc would also be helpful. Maybe
shortening the value or hashing it would work?
> Security : Authorization header should not be printed in debug log
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-1811
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1811
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (async)
> Reporter: Sujitha Chinnathambi
> Attachments: httpclient.patch
>
>
> Current behaviour : When https call is made with basic authentication with
> debug mode, authorization information which is transfered part of
> 'Authorization' header is getting printed in log in below artifact
> <groupId>org.apache.httpcomponents</groupId>
> <artifactId>httpclient</artifactId>
> <version>4.3.6</version>
> Example :
> org.apache.http.wire - [] >> "Authorization: Basic
> VEVTVCBLSCAwMS9TQ0hVTFVORzpzY2h1bHVuZw==[\r][\n]"
> org.apache.http.headers - [] >> Authorization: Basic
> VEVTVCBLSCAwMS9TQ0hVTFVORzpzY2h1bHVuZw==
> Expected behaiour:
> Though log level is debug, authorization information should not be printed
> in log.
> Attached httpclient.patch as proposal.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
