subject:"\[jira\] \[Commented\] \(QPIDJMS\-588\) when invalid failover URI supplied, password can be present in log file"

[jira] [Commented] (QPIDJMS-588) when invalid failover URI supplied, password can be present in log file

2023-05-16 Thread Robbie Gemmell (Jira)



[ 
https://issues.apache.org/jira/browse/QPIDJMS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17723197#comment-17723197
 ] 

Robbie Gemmell commented on QPIDJMS-588:


It should throw an IllegalArgumentException as it already does in the 
regular/non-failover URI case, since the userinfo presence is not considered 
valid and will not be used.

I already have a change mostly done for this, just still to give it a check 
over and tidyup before pushing.

> when invalid failover URI supplied, password can be present in log file
> ---
>
> Key: QPIDJMS-588
> URL: https://issues.apache.org/jira/browse/QPIDJMS-588
> Project: Qpid JMS
>  Issue Type: Bug
>  Components: qpid-jms-client
>Affects Versions: 2.2.0
> Environment: We are currently using Apache Qpid 2.2.0
>Reporter: Patrick Gell
>Priority: Minor
>  Labels: password, security
>
> If I have a failover URL with `user:password` configured than the password is 
> logged in plain text.
> {+}BrokerURL{+}: 
> failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672)
> +Log extract:+
> 2023-05-15 13:04:42.484  INFO [localhost:5672]] 
> org.apache.qpid.jms.JmsConnection        : Connection 
> ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server: 
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672
>  
> Expected behaviour:
> The password is masked in the log or an IllegalArgumentException is thrown 
> similar to the non failover URL:
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a 
> ...
> Caused by: java.lang.IllegalArgumentException: The supplied URI cannot 
> contain a User-Info section
>     at 
> org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
>     at 
> org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
>     ... 69 common frames omitted
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Commented] (QPIDJMS-588) when invalid failover URI supplied, password can be present in log file

2023-05-15 Thread Patrick Gell (Jira)



[ 
https://issues.apache.org/jira/browse/QPIDJMS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17722984#comment-17722984
 ] 

Patrick Gell commented on QPIDJMS-588:
--

Thanks for the fast reply.

What should be the correct handling of such URL? Throw an 
IllegalArgumentException?

I could have a look into it and provide a pull request for that.

 

Best regards,

Patrick

> when invalid failover URI supplied, password can be present in log file
> ---
>
> Key: QPIDJMS-588
> URL: https://issues.apache.org/jira/browse/QPIDJMS-588
> Project: Qpid JMS
>  Issue Type: Bug
>  Components: qpid-jms-client
>Affects Versions: 2.2.0
> Environment: We are currently using Apache Qpid 2.2.0
>Reporter: Patrick Gell
>Priority: Minor
>  Labels: password, security
>
> If I have a failover URL with `user:password` configured than the password is 
> logged in plain text.
> {+}BrokerURL{+}: 
> failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672)
> +Log extract:+
> 2023-05-15 13:04:42.484  INFO [localhost:5672]] 
> org.apache.qpid.jms.JmsConnection        : Connection 
> ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server: 
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672
>  
> Expected behaviour:
> The password is masked in the log or an IllegalArgumentException is thrown 
> similar to the non failover URL:
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a 
> ...
> Caused by: java.lang.IllegalArgumentException: The supplied URI cannot 
> contain a User-Info section
>     at 
> org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
>     at 
> org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
>     ... 69 common frames omitted
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Commented] (QPIDJMS-588) when invalid failover URI supplied, password can be present in log file

2023-05-15 Thread Robbie Gemmell (Jira)



[ 
https://issues.apache.org/jira/browse/QPIDJMS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17722786#comment-17722786
 ] 

Robbie Gemmell commented on QPIDJMS-588:


This presumably happens because the code in the ConnectionFactory which 
normally rejects the invalid presence of userinfo detail in the base URI, 
doesnt apply to failover URIs which are instead handled later by the failover 
provider to extract individual server details, which presumably isnt enforcing 
the same check for invalid presence of userinfo detail in the base URI. The 
later created Connection then doesnt anticipate userinfo being present in its 
base URI since it is not considered valid to be there in the client URI, and it 
then logs the base URI (first stripping the query, that might have had user 
detail props contained). For now: remove the invalid userinfo detail from your 
URI, it isnt being used from there anyway.

> when invalid failover URI supplied, password can be present in log file
> ---
>
> Key: QPIDJMS-588
> URL: https://issues.apache.org/jira/browse/QPIDJMS-588
> Project: Qpid JMS
>  Issue Type: Bug
>  Components: qpid-jms-client
>Affects Versions: 2.2.0
> Environment: We are currently using Apache Qpid 2.2.0
>Reporter: Patrick Gell
>Priority: Minor
>  Labels: password, security
>
> If I have a failover URL with `user:password` configured than the password is 
> logged in plain text.
> {+}BrokerURL{+}: 
> failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672)
> +Log extract:+
> 2023-05-15 13:04:42.484  INFO [localhost:5672]] 
> org.apache.qpid.jms.JmsConnection        : Connection 
> ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server: 
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672
>  
> Expected behaviour:
> The password is masked in the log or an IllegalArgumentException is thrown 
> similar to the non failover URL:
> amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a 
> ...
> Caused by: java.lang.IllegalArgumentException: The supplied URI cannot 
> contain a User-Info section
>     at 
> org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
>     at 
> org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
>     ... 69 common frames omitted
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Commented] (QPIDJMS-588) when invalid failover URI supplied, password can be present in log file

[jira] [Commented] (QPIDJMS-588) when invalid failover URI supplied, password can be present in log file

[jira] [Commented] (QPIDJMS-588) when invalid failover URI supplied, password can be present in log file

3 matches

Site Navigation

Mail list logo

Footer information