[
https://issues.apache.org/jira/browse/CXF-6824?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15185143#comment-15185143
]
Qi Lu commented on CXF-6824:
----------------------------
Hi Colm,
Thanks for the prompt response. One example of the log.
==================
03 Feb 2016 15:12:46,291 | INFO - AbstractLoggingInterceptor.log(239) |
Outbound Message
---------------------------
ID: 1
Address: https://xxx.com/yyy/ws/general.asmx
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[*/*],
SOAPAction=["http://aaa.com/webservices/CreateUserSessionFromInstance"]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><CreateUserSessionFromInstance
xmlns="http://archer-tech.com/webservices/";><userName>secops_push</userName><instanceName>tGRC_UAT</instanceName><password>PLAINTEXTPASSWORD</password></CreateUserSessionFromInstance></soap:Body></soap:Envelope>
> Logs output User Password In Plain Text at INFO level
> -----------------------------------------------------
>
> Key: CXF-6824
> URL: https://issues.apache.org/jira/browse/CXF-6824
> Project: CXF
> Issue Type: Bug
> Components: logging
> Affects Versions: 2.7.16
> Environment: Windows server, Java 8 and Apache CXF 2.7.16.
> Reporter: Qi Lu
>
> In a http soap webservice call, the user password was output in plain text in
> the log at INFO level. This leads to security concerns of the application
> building on top it. User password is very sensitive information, it should
> not be at the INFO log level.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
