[
https://issues.apache.org/jira/browse/QPID-7289?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15785516#comment-15785516
]
Keith Wall commented on QPID-7289:
----------------------------------
This is not straightforward. The Broker has the ability to log the bytes of
the incoming bytes from the wire. This is an ability we value. This is done
before the frame is parsed, so we cannot know if the frame contains something
that the Broker should deem as sensitive.
For some applications, we can simply discourage the use SASL mechanisms that
accept the plain text (i.e. PLAIN) so that the bytes that arrive as part of the
SASL challenge are not plain.
The difficultly comes when using authentication providers such as a generic
LDAP server - this requires that the Broker binds using the plaintext.
> [Java Broker] SASL challenges and response should be masked in the log file
> ---------------------------------------------------------------------------
>
> Key: QPID-7289
> URL: https://issues.apache.org/jira/browse/QPID-7289
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: qpid-java-6.0, qpid-java-6.0.3, qpid-java-6.1
> Reporter: Lorenz Quack
> Fix For: Future
>
>
> The broker logs the SASL negotiation at DEBUG level. This includes the
> challenges and response going between the client and the broker.
> These contain potentially sensitive information (e.g., user credentials) and
> should therefore be masked.
> On AMQP 0-9 they are masked.
> On AMQP 0-10 they are not masked.
> I did not test 1.0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
