[jira] [Updated] (CXF-8359) Masking sensitive elements does not work if the element has a property

Tue, 20 Oct 2020 03:20:00 -0700 


     [ 
https://issues.apache.org/jira/browse/CXF-8359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Finn Herpich updated CXF-8359:
------------------------------
    Description: 
Given the template which is used in the MaskSensitiveHelper class: 
[https://github.com/apache/cxf/blob/dc2f6af9ad09888cafb350f95935e9ec6abf8aee/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/MaskSensitiveHelper.java#L30]

If, for example, we want to mask the wsse:Password element
{code:java}
logFeature.addSensitiveElementNames(new 
HashSet<>(Collections.singletonList("wsse:Password")));{code}
but it contains a property
{code:java}
<wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>some
 cleantext password</wsse:Password>{code}
the regex would not pickup the element and thus not replace it and the password 
would still appear in the logs.

 

  was:
Given the template which is used in the MaskSensitiveHelper class: 
[https://github.com/apache/cxf/blob/dc2f6af9ad09888cafb350f95935e9ec6abf8aee/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/MaskSensitiveHelper.java#L30]

If, for example, we want to mask the wsse:Password element
{code:java}
logFeature.addSensitiveElementNames(new 
HashSet<>(Collections.singletonList("wsse:Password")));{code}
but it contains a property
{code:java}
<wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>some
 cleantext password</wsse:Password>{code}
the regex would not pickup the element and thus not replace it and the password 
would still appear in the logs.

 


> Masking sensitive elements does not work if the element has a property
> ----------------------------------------------------------------------
>
>                 Key: CXF-8359
>                 URL: https://issues.apache.org/jira/browse/CXF-8359
>             Project: CXF
>          Issue Type: Improvement
>          Components: logging
>    Affects Versions: 3.4.0
>            Reporter: Finn Herpich
>            Priority: Major
>
> Given the template which is used in the MaskSensitiveHelper class: 
> [https://github.com/apache/cxf/blob/dc2f6af9ad09888cafb350f95935e9ec6abf8aee/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/MaskSensitiveHelper.java#L30]
> If, for example, we want to mask the wsse:Password element
> {code:java}
> logFeature.addSensitiveElementNames(new 
> HashSet<>(Collections.singletonList("wsse:Password")));{code}
> but it contains a property
> {code:java}
> <wsse:Password 
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>some
>  cleantext password</wsse:Password>{code}
> the regex would not pickup the element and thus not replace it and the 
> password would still appear in the logs.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to