Sergey Beryozkin commented on CXF-7070:

What I meant was that some Authorization values will not expose anything at all 
to the potential attackers, not all Authorization values are username and 
password semi-clear combinations. Also if the client is running is pushing the 
logs to the secure system (and perhaps some CXF users already do it right now) 
then blocking it will be unexpected. However, I guess we can indeed block them 
by default as per Andy's patch, but the property needs to be introduced to let 
users to keep the current behaviour in place

> HTTP headers logged in debug
> ----------------------------
>                 Key: CXF-7070
>                 URL: https://issues.apache.org/jira/browse/CXF-7070
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>            Reporter: Fadi Mohsen
> We try to avoid logging of authorization header value in out/in requests, we 
> filtered out these in interceptors, but turns out these are logged anyway in 
> [CXF debug mode| 
> https://github.com/apache/cxf/blob/120d20f47022a76970ff0fb9c9d7413cfe019eb2/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Headers.java#L436]:
> {code}
>         if (LOG.isLoggable(Level.FINE)) {
>             LOG.log(Level.FINE, "Request Headers: " + headers.toString());
>         }
> {code}

This message was sent by Atlassian JIRA

Reply via email to