[
https://issues.apache.org/jira/browse/QPIDJMS-423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16666870#comment-16666870
]
ASF GitHub Bot commented on QPIDJMS-423:
----------------------------------------
Github user benoitdevos commented on the issue:
https://github.com/apache/qpid-jms/pull/23
@tabish121 I created
[QPIDJMS-423](https://issues.apache.org/jira/browse/QPIDJMS-423) and changed
the commit message.
> Avoid disclosing sensitive info when logging Remote Broker URI
> --------------------------------------------------------------
>
> Key: QPIDJMS-423
> URL: https://issues.apache.org/jira/browse/QPIDJMS-423
> Project: Qpid JMS
> Issue Type: Improvement
> Components: qpid-jms-client
> Affects Versions: 0.37.0
> Reporter: Benoit Devos
> Priority: Minor
>
> The broker URI may contain sensitive info (like path to trust / key stores,
> and related *passwords*), and this info is being logged.
> Sample:
> {code:xml}
> <bean id="jmsConnectionFactory"
> class="org.apache.qpid.jms.JmsConnectionFactory">
> <constructor-arg name="remoteURI" value="amqps://some-location:5671?
> transport.keyStoreLocation=/very/long/path/nnn-openssl.p12&
> transport.keyStorePassword=*******&
> transport.trustStoreLocation=/very/long/path/server.keystore&
> transport.trustStorePassword=*******"/>
> </bean>
> {code}
> The method JmsConnection.onConnectionEstablished(final URI remoteURI) logs
> this URI as is, therefore disclosing some passwords.
> Only essential info just be logged, i.e. scheme, host and port.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
