[ https://issues.apache.org/jira/browse/QPIDJMS-423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16666870#comment-16666870 ]
ASF GitHub Bot commented on QPIDJMS-423: ---------------------------------------- Github user benoitdevos commented on the issue: https://github.com/apache/qpid-jms/pull/23 @tabish121 I created [QPIDJMS-423](https://issues.apache.org/jira/browse/QPIDJMS-423) and changed the commit message. > Avoid disclosing sensitive info when logging Remote Broker URI > -------------------------------------------------------------- > > Key: QPIDJMS-423 > URL: https://issues.apache.org/jira/browse/QPIDJMS-423 > Project: Qpid JMS > Issue Type: Improvement > Components: qpid-jms-client > Affects Versions: 0.37.0 > Reporter: Benoit Devos > Priority: Minor > > The broker URI may contain sensitive info (like path to trust / key stores, > and related *passwords*), and this info is being logged. > Sample: > {code:xml} > <bean id="jmsConnectionFactory" > class="org.apache.qpid.jms.JmsConnectionFactory"> > <constructor-arg name="remoteURI" value="amqps://some-location:5671? > transport.keyStoreLocation=/very/long/path/nnn-openssl.p12& > transport.keyStorePassword=*******& > transport.trustStoreLocation=/very/long/path/server.keystore& > transport.trustStorePassword=*******"/> > </bean> > {code} > The method JmsConnection.onConnectionEstablished(final URI remoteURI) logs > this URI as is, therefore disclosing some passwords. > Only essential info just be logged, i.e. scheme, host and port. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org