Finn Herpich created CXF-8359:
---------------------------------
Summary: Masking sensitive elements does not work if the element
has a property
Key: CXF-8359
URL: https://issues.apache.org/jira/browse/CXF-8359
Project: CXF
Issue Type: Improvement
Components: logging
Affects Versions: 3.4.0
Reporter: Finn Herpich
Given the template which is used in the MaskSensitiveHelper class:
[https://github.com/apache/cxf/blob/dc2f6af9ad09888cafb350f95935e9ec6abf8aee/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/MaskSensitiveHelper.java#L30]
If, for example, we want to mask the wsse:Password element
{code:java}
logFeature.addSensitiveElementNames(new
HashSet<>(Collections.singletonList("wsse:Password")));{code}
but it contains a property
{code:java}
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>some
cleantext password</wsse:Password>{code}
the regex would not pickup the element and thus not replace it and the password
would still appear in the logs.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
