[
https://issues.apache.org/jira/browse/CXF-8691?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel updated CXF-8691:
------------------------
Description:
Hi,
I am trying to use the LoggingFeature within cxf-rt and hide sensitive element
names.
The code I use looks like the following:
{code:java}
LoggingFeature loggingFeature = new LoggingFeature();
loggingFeature.setLogBinary(false);
loggingFeature.setPrettyLogging(true);
loggingFeature.setLogMultipart(false);
loggingFeature.addSensitiveElementNames(new
HashSet<>(Arrays.asList("password")));
{code}
Payload:
{code:java}
private final String shortName;
private final char[] password;
{code}
Output:
{code:java}
[services.MyWebservicePort.REQ_OUT] INFO - REQ_OUT
Address: http://<some-url>
HttpMethod: POST
Content-Type: application/json
ExchangeId: 560b73ae-e7e0-4687-9674-19ee72995a08
Headers: {Accept=text/plain, Accept-Encoding=gzip;q=1.0, identity; q=0.5,
*;q=0, Content-Type=application/json}
Payload:
{"shortName":"UserName","password":["G","e","h","e","i","m","1","2","3","!"]}
{code}
As you can see, my password is not hidden in the output of the payload. It is
important to mention, that the field "password" in my code is declared as a
char-array.
However, if I add "shortName" to the sensetiveElementNames, everything works as
expected. The shortName is hidden (XXX), due to it beeing declared as a String.
I looked at the source code an tracked the problem down to a regex. "password"
is not found, as the value is an array (MarkSensetiveHelper.java)
was:
Hi,
I am trying to use the LoggingFeature within cxf-rt and hide sensitive element
names.
The code I use looks like the following:
{code:java}
LoggingFeature loggingFeature = new LoggingFeature();
loggingFeature.setLogBinary(false);
loggingFeature.setPrettyLogging(true);
loggingFeature.setLogMultipart(false);
loggingFeature.addSensitiveElementNames(new
HashSet<>(Arrays.asList("password")));
{code}
Payload:
{code:java}
private final String shortName;
private final char[] password;
{code}
Output:
{code:java}
[services.ObaWebservicePort.REQ_OUT] INFO - REQ_OUT
Address: http://<some-url>
HttpMethod: POST
Content-Type: application/json
ExchangeId: 560b73ae-e7e0-4687-9674-19ee72995a08
Headers: {Accept=text/plain, Accept-Encoding=gzip;q=1.0, identity; q=0.5,
*;q=0, Content-Type=application/json}
Payload:
{"shortName":"UserName","password":["G","e","h","e","i","m","1","2","3","!"]}
{code}
As you can see, my password is not hidden in the output of the payload. It is
important to mention, that the field "password" in my code is declared as a
char-array.
However, if I add "shortName" to the sensetiveElementNames, everything works as
expected. The shortName is hidden (XXX), due to it beeing declared as a String.
I looked at the source code an tracked the problem down to a regex. "password"
is not found, as the value is an array (MarkSensetiveHelper.java)
> Logging Feature - Sensitive element with arrays
> -----------------------------------------------
>
> Key: CXF-8691
> URL: https://issues.apache.org/jira/browse/CXF-8691
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 3.4.0, 3.5.1
> Reporter: Daniel
> Priority: Minor
> Labels: Logging
>
> Hi,
> I am trying to use the LoggingFeature within cxf-rt and hide sensitive
> element names.
> The code I use looks like the following:
>
> {code:java}
> LoggingFeature loggingFeature = new LoggingFeature();
> loggingFeature.setLogBinary(false);
> loggingFeature.setPrettyLogging(true);
> loggingFeature.setLogMultipart(false);
> loggingFeature.addSensitiveElementNames(new
> HashSet<>(Arrays.asList("password")));
> {code}
> Payload:
> {code:java}
> private final String shortName;
> private final char[] password;
> {code}
>
> Output:
>
> {code:java}
> [services.MyWebservicePort.REQ_OUT] INFO - REQ_OUT
> Address: http://<some-url>
> HttpMethod: POST
> Content-Type: application/json
> ExchangeId: 560b73ae-e7e0-4687-9674-19ee72995a08
> Headers: {Accept=text/plain, Accept-Encoding=gzip;q=1.0, identity; q=0.5,
> *;q=0, Content-Type=application/json}
> Payload:
> {"shortName":"UserName","password":["G","e","h","e","i","m","1","2","3","!"]}
> {code}
> As you can see, my password is not hidden in the output of the payload. It is
> important to mention, that the field "password" in my code is declared as a
> char-array.
> However, if I add "shortName" to the sensetiveElementNames, everything works
> as expected. The shortName is hidden (XXX), due to it beeing declared as a
> String.
> I looked at the source code an tracked the problem down to a regex.
> "password" is not found, as the value is an array (MarkSensetiveHelper.java)
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
