Re: [PR] ARTEMIS-5659 support masking JDBC URL [activemq-artemis]

Wed, 17 Sep 2025 23:37:16 -0700 


brusdev commented on code in PR #5922:
URL: https://github.com/apache/activemq-artemis/pull/5922#discussion_r2357672987


##########
artemis-server/src/main/java/org/apache/activemq/artemis/core/deployers/impl/FileConfigurationParser.java:
##########
@@ -2015,7 +2015,20 @@ private DatabaseStorageConfiguration 
createDatabaseStoreConfig(Element storeNode
       conf.setLargeMessageTableName(getString(storeNode, 
"large-message-table-name", conf.getLargeMessageTableName(), NO_CHECK));
       conf.setPageStoreTableName(getString(storeNode, "page-store-table-name", 
conf.getPageStoreTableName(), NO_CHECK));
       conf.setNodeManagerStoreTableName(getString(storeNode, 
"node-manager-store-table-name", conf.getNodeManagerStoreTableName(), 
NO_CHECK));
-      conf.setJdbcConnectionUrl(getString(storeNode, "jdbc-connection-url", 
conf.getJdbcConnectionUrl(), NO_CHECK));
+      String jdbcConnectionUrl = getString(storeNode, "jdbc-connection-url", 
conf.getJdbcConnectionUrl(), NO_CHECK);
+
+      /*
+       * Support for masking the JDBC connection URL can break uses-cases with 
<mask-password>true</mask-password> in
+       * broker.xml and an existing, unmasked jdbc-connection-url because the 
broker will try to unmask a value that is
+       * not masked resulting in an IllegalStateException. To deal with this 
we ensure the jdbc-connection-url does not
+       * start with "jdbc:" before trying to unmask it. If it does start with 
"jdbc:" then we know that it's already
+       * unmasked and we shouldn't attempt to unmask it.
+       */
+      if (jdbcConnectionUrl != null && !jdbcConnectionUrl.startsWith("jdbc:")) 
{
+         jdbcConnectionUrl = 
PasswordMaskingUtil.resolveMask(mainConfig.isMaskPassword(), jdbcConnectionUrl, 
mainConfig.getPasswordCodec());

Review Comment:
   The `mask-password` attribute should only affect passwords. It actually 
affects usernames as well, but it's a legacy attribute and shouldn't be 
extended to other settings. We could use the `PasswordMaskingUtil.isEncMasked` 
method to detect whether the JDBC URL is masked.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org
For additional commands, e-mail: gitbox-h...@activemq.apache.org
For further information, visit: https://activemq.apache.org/contact

Reply via email to