[jira] Commented: (OPENJPA-1678) SQL Parameter values may contain sensitive information and should not be logged by default.

Fri, 04 Jun 2010 07:39:16 -0700 

    [ 
https://issues.apache.org/jira/browse/OPENJPA-1678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12875613#action_12875613
 ] 

Michael Dick commented on OPENJPA-1678:
---------------------------------------

Hi Pinaki,

I think this is orthogonal to the level of tracing used. While it's often 
useful in conjunction with other tracing the two should not be tied together. 
You should be able to see parameters in your exception text (if you so desire) 
without enabling logging for example. 

I'm not entirely sold on introducing a new log level in service either. For the 
time being I'm going to treat this as a bug with 
openjpa.ConnectionFactoryProperties.TrackParameters and fix it that way (the 
cfProps patch). 

> SQL Parameter values may contain sensitive information and should not be 
> logged by default.
> -------------------------------------------------------------------------------------------
>
>                 Key: OPENJPA-1678
>                 URL: https://issues.apache.org/jira/browse/OPENJPA-1678
>             Project: OpenJPA
>          Issue Type: Bug
>    Affects Versions: 1.0.3, 1.1.0, 1.2.2, 2.0.0, 2.1.0
>            Reporter: Michael Dick
>            Assignee: Michael Dick
>             Fix For: 1.0.4, 1.2.3, 2.0.1, 2.1.0
>
>         Attachments: OPENJPA-1678-openjpa.CFProps.1.2.x.patch.txt, 
> OPENJPA-1678-openjpa.Log.1.2.x.patch.txt
>
>
> The values for parameters used in our SQL statements may contain sensitive 
> information (e.g. social security numbers). By default these values are 
> printed in the exception message and in SQL trace. Having the values printed 
> can be a great help when debugging an application - but presents a risk when 
> used in production. 
> To resolve the issue I propose to disable printing the parameter values by 
> default. The parameter values will still be tracked internally - but will not 
> be displayed in exception messages or trace unless the following property is 
> set :
> <property name="openjpa.ConnectionFactoryProperties" 
> value="printParameters=true"/>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to