Marcin created CXF-8563:
---------------------------
Summary: Authorization header logged may contain sensitive data
Key: CXF-8563
URL: https://issues.apache.org/jira/browse/CXF-8563
Project: CXF
Issue Type: Bug
Components: Services
Affects Versions: 3.2.14
Reporter: Marcin
Logging the category {{org.apache.cxf.services}} on INFO level may leak
personal user passwords (similar to CXF-7070 - HTTP headers logged in debug ).
When users are authenticating to a SOAP web service, the full request is
logged, including the 'Authorization' header.
Example: *Authorization=[Basic Y29kZW5vdGZvdW5kOnA0NTV3MHJk]*
{code:java}
Address: http://localhost:9090/codenotfound/ws/ticketagent
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml; charset=UTF-8
Headers: {Accept=[*/*], Authorization=[Basic Y29kZW5vdGZvdW5kOnA0NTV3MHJk],
cache-control=[no-cache], connection=[keep-alive], Content-Length=[181],
content-type=[text/xml; charset=UTF-8], host=[localhost:9090],
pragma=[no-cache], SOAPAction=[""], user-agent=[Apache-CXF/3.2.14]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><ns2:listFlightsRequest
xmlns:ns2="http://example.org/TicketAgent.xsd"/></soap:Body></soap:Envelope>
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
