[
https://issues.apache.org/jira/browse/CXF-8563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414889#comment-17414889
]
Colm O hEigeartaigh commented on CXF-8563:
------------------------------------------
CXF 3.2.x is not supported any longer, so we won't be backmerging the fix to
here.
> Authorization header logged may contain sensitive data
> ------------------------------------------------------
>
> Key: CXF-8563
> URL: https://issues.apache.org/jira/browse/CXF-8563
> Project: CXF
> Issue Type: Bug
> Components: Services
> Affects Versions: 3.2.14
> Reporter: Marcin Noworzyn
> Priority: Major
>
> Logging the category {{org.apache.cxf.services}} on INFO level may leak
> personal user passwords (similar to CXF-7070 - HTTP headers logged in debug
> ). When users are authenticating to a SOAP web service, the full request is
> logged, including the 'Authorization' header.
> Example: *Authorization=[Basic Y29kZW5vdGZvdW5kOnA0NTV3MHJk]*
> {code:java}
> Address: http://localhost:9090/codenotfound/ws/ticketagent
> Encoding: UTF-8
> Http-Method: POST
> Content-Type: text/xml; charset=UTF-8
> Headers: {Accept=[*/*], Authorization=[Basic Y29kZW5vdGZvdW5kOnA0NTV3MHJk],
> cache-control=[no-cache], connection=[keep-alive], Content-Length=[181],
> content-type=[text/xml; charset=UTF-8], host=[localhost:9090],
> pragma=[no-cache], SOAPAction=[""], user-agent=[Apache-CXF/3.2.14]}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><ns2:listFlightsRequest
> xmlns:ns2="http://example.org/TicketAgent.xsd"/></soap:Body></soap:Envelope>
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
