[
https://issues.apache.org/jira/browse/OPENJPA-1678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12877169#action_12877169
]
Michael Dick commented on OPENJPA-1678:
---------------------------------------
Upon further review I'm leaning towards a separate parameter, also on
ConnectionFactoryProperties - since this will be in service releases I'd rather
not take the risk of affecting behavior or change the meaning of track
parameters for any existing applications.
> SQL Parameter values may contain sensitive information and should not be
> logged by default.
> -------------------------------------------------------------------------------------------
>
> Key: OPENJPA-1678
> URL: https://issues.apache.org/jira/browse/OPENJPA-1678
> Project: OpenJPA
> Issue Type: Bug
> Affects Versions: 1.0.3, 1.1.0, 1.2.2, 2.0.0, 2.1.0
> Reporter: Michael Dick
> Assignee: Michael Dick
> Fix For: 1.0.4, 1.2.3, 2.0.1, 2.1.0
>
> Attachments: OPENJPA-1678-openjpa.CFProps.1.2.x.patch.txt,
> OPENJPA-1678-openjpa.Log.1.2.x.patch.txt
>
>
> The values for parameters used in our SQL statements may contain sensitive
> information (e.g. social security numbers). By default these values are
> printed in the exception message and in SQL trace. Having the values printed
> can be a great help when debugging an application - but presents a risk when
> used in production.
> To resolve the issue I propose to disable printing the parameter values by
> default. The parameter values will still be tracked internally - but will not
> be displayed in exception messages or trace unless the following property is
> set :
> <property name="openjpa.ConnectionFactoryProperties"
> value="printParameters=true"/>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
