Keith Wall created QPID-6496:
--------------------------------
Summary: PropertiesFileInitialContextFactory logs properties at
INFO which may allow a password to be logged
Key: QPID-6496
URL: https://issues.apache.org/jira/browse/QPID-6496
Project: Qpid
Issue Type: Bug
Components: Java Client
Affects Versions: 0.8, 0.32
Reporter: Keith Wall
Priority: Minor
PropertiesFileInitialContextFactory logs all properties at INFO whilst creating
the InitialContext. As the properties could include connection factory
definition(s) and connection factory definitions allow password to be embedded
within them, this could mean cleartext passwords are logged.
{noformat}
connectionfactory.qpidConnectionFactory =
amqp://user:pass@clientid/?brokerlist='tcp://localhost:5672'
{noformat}
This problem will only manifest if logger org.apache.qpid.jndi is enabled at
INFO or lower. The client offers no mechanism in built mechanism to enable
this logging (it is delegated to the application).
It won't affect users specifying credentials using
ConnectionFactory#createConnection(user,password). Nor does it affect uses
using authentication mechanisms that do not rely on an client side password
i.e. SSL client auth, Kerberos.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
