[
https://issues.apache.org/jira/browse/ARTEMIS-5659?focusedWorklogId=983589&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-983589
]
ASF GitHub Bot logged work on ARTEMIS-5659:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 18/Sep/25 06:37
Start Date: 18/Sep/25 06:37
Worklog Time Spent: 10m
Work Description: brusdev commented on code in PR #5922:
URL: https://github.com/apache/activemq-artemis/pull/5922#discussion_r2357672987
##########
artemis-server/src/main/java/org/apache/activemq/artemis/core/deployers/impl/FileConfigurationParser.java:
##########
@@ -2015,7 +2015,20 @@ private DatabaseStorageConfiguration
createDatabaseStoreConfig(Element storeNode
conf.setLargeMessageTableName(getString(storeNode,
"large-message-table-name", conf.getLargeMessageTableName(), NO_CHECK));
conf.setPageStoreTableName(getString(storeNode, "page-store-table-name",
conf.getPageStoreTableName(), NO_CHECK));
conf.setNodeManagerStoreTableName(getString(storeNode,
"node-manager-store-table-name", conf.getNodeManagerStoreTableName(),
NO_CHECK));
- conf.setJdbcConnectionUrl(getString(storeNode, "jdbc-connection-url",
conf.getJdbcConnectionUrl(), NO_CHECK));
+ String jdbcConnectionUrl = getString(storeNode, "jdbc-connection-url",
conf.getJdbcConnectionUrl(), NO_CHECK);
+
+ /*
+ * Support for masking the JDBC connection URL can break uses-cases with
<mask-password>true</mask-password> in
+ * broker.xml and an existing, unmasked jdbc-connection-url because the
broker will try to unmask a value that is
+ * not masked resulting in an IllegalStateException. To deal with this
we ensure the jdbc-connection-url does not
+ * start with "jdbc:" before trying to unmask it. If it does start with
"jdbc:" then we know that it's already
+ * unmasked and we shouldn't attempt to unmask it.
+ */
+ if (jdbcConnectionUrl != null && !jdbcConnectionUrl.startsWith("jdbc:"))
{
+ jdbcConnectionUrl =
PasswordMaskingUtil.resolveMask(mainConfig.isMaskPassword(), jdbcConnectionUrl,
mainConfig.getPasswordCodec());
Review Comment:
The `mask-password` attribute should only affect passwords. It actually
affects usernames as well, but it's a legacy attribute and shouldn't be
extended to other settings. We could use the `PasswordMaskingUtil.isEncMasked`
method to detect whether the JDBC URL is masked.
Issue Time Tracking
-------------------
Worklog Id: (was: 983589)
Time Spent: 20m (was: 10m)
> Support masking JDBC URL
> ------------------------
>
> Key: ARTEMIS-5659
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5659
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Reporter: Justin Bertram
> Assignee: Justin Bertram
> Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In some environments the JDBC connection URL is considered "sensitive" so it
> would be useful to support masking this in {{broker.xml}} as is supported for
> the username & password.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@activemq.apache.org
For additional commands, e-mail: issues-h...@activemq.apache.org
For further information, visit: https://activemq.apache.org/contact
