[jira] [Commented] (CXF-9070) CXF LoggingFeature still logging sensitive content

Mon, 21 Oct 2024 02:20:25 -0700 


    [ 
https://issues.apache.org/jira/browse/CXF-9070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17891458#comment-17891458
 ] 

Dmytro Sylaiev commented on CXF-9070:
-------------------------------------

Hello [~reta] , I was trying with cxf 3.5.9, 3.6.4 and 4.0.5 

My dependencies:
{noformat}
cxf-core
cxf-rt-rs-client
cxf-rt-transports-http
cxf-rt-databinding-jaxb
cxf-rt-management
cxf-rt-features-logging{noformat}
 

> CXF LoggingFeature still logging sensitive content 
> ---------------------------------------------------
>
>                 Key: CXF-9070
>                 URL: https://issues.apache.org/jira/browse/CXF-9070
>             Project: CXF
>          Issue Type: Bug
>            Reporter: Dmytro Sylaiev
>            Priority: Major
>
> I was trying to enable the LoggingFeature for my cxf client to hide some info 
> in log.debug:
> Here's my code to create a WebClient and invoke the request:
> {noformat}
> LoggingFeature loggingFeature = new LoggingFeature();
> final Slf4jEventSender sender = new Slf4jEventSender();
> loggingFeature.setSender(sender);
> Set<String> secrets = new HashSet<>();
> secrets.add("access_token");
> secrets.add("client_secret");
> loggingFeature.setSensitiveElementNames(secrets);
> loggingFeature.setSensitiveProtocolHeaderNames(secrets);
> this.webClient = WebClient.create(url, Collections.emptyList(), 
> Collections.singletonList(loggingFeature), null);
> ...
> webClient.invoke(...){noformat}
> My HTTP client flow is: I am requesting GET localhost/oauth/form/token form 
> query using client id and client secret and parsing the response metadata to 
> get the oauth2 token and then set this token to the Authorization header to 
> the main request and then send GET localhost/oauth/resource
> Despite the logging feature is now active and present in the classpath&I see 
> it's handling logs there's still sensitive information in logs:
> {noformat}
> [DEBUG] 16:46:08 org.apache.cxf.transport.http.HTTPConduit- Conduit 
> "{http://localhost:8080/oauth/client_credentials/form/token}WebClient.http-conduit";
>  Transmit cached message to: 
> http://localhost:8080/oauth/client_credentials/form/token: 
> grant_type=client_credentials&client_id=1234567890&client_secret=SECRET1234567890SECRET
> ...
> [INFO ] 16:46:09 org.apache.cxf.services.WebClient.RESP_IN- {
>   "access_token": "a-valide-token",
>   "token_type": "Bearer",
>   "expires_in": 5000
> }{noformat}
> Maybe I am misusing the LoggingFeature configuration but I did some debug and 
> not sure it can be used to hide sensitive information in URL request (to hide 
> HTTPConduit log) and in the response payload
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to