[
https://issues.apache.org/jira/browse/CXF-9070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17891831#comment-17891831
]
Dmytro Sylaiev commented on CXF-9070:
-------------------------------------
Indeed, when I configured token endpoint to add a Content-Type header, the
{color:#000000}{color:#00873d}WebClient.RESP_IN {color}{color}shows the masked
value for sensitive data
On the same time, the POST method form parameters are printed to the log
despite the logging feature enabled or not by WebConduit, that seems as a bug
to me
> CXF LoggingFeature still logging sensitive content
> ---------------------------------------------------
>
> Key: CXF-9070
> URL: https://issues.apache.org/jira/browse/CXF-9070
> Project: CXF
> Issue Type: Bug
> Reporter: Dmytro Sylaiev
> Priority: Major
>
> I was trying to enable the LoggingFeature for my cxf client to hide some info
> in log.debug:
> Here's my code to create a WebClient and invoke the request:
> {noformat}
> LoggingFeature loggingFeature = new LoggingFeature();
> final Slf4jEventSender sender = new Slf4jEventSender();
> loggingFeature.setSender(sender);
> Set<String> secrets = new HashSet<>();
> secrets.add("access_token");
> secrets.add("client_secret");
> loggingFeature.setSensitiveElementNames(secrets);
> loggingFeature.setSensitiveProtocolHeaderNames(secrets);
> this.webClient = WebClient.create(url, Collections.emptyList(),
> Collections.singletonList(loggingFeature), null);
> ...
> webClient.invoke(...){noformat}
> My HTTP client flow is: I am requesting GET localhost/oauth/form/token form
> query using client id and client secret and parsing the response metadata to
> get the oauth2 token and then set this token to the Authorization header to
> the main request and then send GET localhost/oauth/resource
> Despite the logging feature is now active and present in the classpath&I see
> it's handling logs there's still sensitive information in logs:
> {noformat}
> [DEBUG] 16:46:08 org.apache.cxf.transport.http.HTTPConduit- Conduit
> "{http://localhost:8080/oauth/client_credentials/form/token}WebClient.http-conduit";
> Transmit cached message to:
> http://localhost:8080/oauth/client_credentials/form/token:
> grant_type=client_credentials&client_id=1234567890&client_secret=SECRET1234567890SECRET
> ...
> [INFO ] 16:46:09 org.apache.cxf.services.WebClient.RESP_IN- {
> "access_token": "a-valide-token",
> "token_type": "Bearer",
> "expires_in": 5000
> }{noformat}
> Maybe I am misusing the LoggingFeature configuration but I did some debug and
> not sure it can be used to hide sensitive information in URL request (to hide
> HTTPConduit log) and in the response payload
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
