[
https://issues.apache.org/jira/browse/CXF-8563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17383203#comment-17383203
]
Colm O hEigeartaigh commented on CXF-8563:
------------------------------------------
The old logging framework is deprecated, the newer one has the ability to
configure some headers to exclude:
https://cxf.apache.org/docs/message-logging.html
> Authorization header logged may contain sensitive data
> ------------------------------------------------------
>
> Key: CXF-8563
> URL: https://issues.apache.org/jira/browse/CXF-8563
> Project: CXF
> Issue Type: Bug
> Components: Services
> Affects Versions: 3.2.14
> Reporter: Marcin
> Priority: Major
>
> Logging the category {{org.apache.cxf.services}} on INFO level may leak
> personal user passwords (similar to CXF-7070 - HTTP headers logged in debug
> ). When users are authenticating to a SOAP web service, the full request is
> logged, including the 'Authorization' header.
> Example: *Authorization=[Basic Y29kZW5vdGZvdW5kOnA0NTV3MHJk]*
> {code:java}
> Address: http://localhost:9090/codenotfound/ws/ticketagent
> Encoding: UTF-8
> Http-Method: POST
> Content-Type: text/xml; charset=UTF-8
> Headers: {Accept=[*/*], Authorization=[Basic Y29kZW5vdGZvdW5kOnA0NTV3MHJk],
> cache-control=[no-cache], connection=[keep-alive], Content-Length=[181],
> content-type=[text/xml; charset=UTF-8], host=[localhost:9090],
> pragma=[no-cache], SOAPAction=[""], user-agent=[Apache-CXF/3.2.14]}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><ns2:listFlightsRequest
> xmlns:ns2="http://example.org/TicketAgent.xsd"/></soap:Body></soap:Envelope>
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
