[jira] [Commented] (QPIDJMS-588) when invalid failover URI supplied, password can be present in log file
[ https://issues.apache.org/jira/browse/QPIDJMS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17723197#comment-17723197 ] Robbie Gemmell commented on QPIDJMS-588: It should throw an IllegalArgumentException as it already does in the regular/non-failover URI case, since the userinfo presence is not considered valid and will not be used. I already have a change mostly done for this, just still to give it a check over and tidyup before pushing. > when invalid failover URI supplied, password can be present in log file > --- > > Key: QPIDJMS-588 > URL: https://issues.apache.org/jira/browse/QPIDJMS-588 > Project: Qpid JMS > Issue Type: Bug > Components: qpid-jms-client >Affects Versions: 2.2.0 > Environment: We are currently using Apache Qpid 2.2.0 >Reporter: Patrick Gell >Priority: Minor > Labels: password, security > > If I have a failover URL with `user:password` configured than the password is > logged in plain text. > {+}BrokerURL{+}: > failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672) > +Log extract:+ > 2023-05-15 13:04:42.484 INFO [localhost:5672]] > org.apache.qpid.jms.JmsConnection : Connection > ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server: > amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 > > Expected behaviour: > The password is masked in the log or an IllegalArgumentException is thrown > similar to the non failover URL: > amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a > ... > Caused by: java.lang.IllegalArgumentException: The supplied URI cannot > contain a User-Info section > at > org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406) > at > org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66) > ... 69 common frames omitted > -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPIDJMS-588) when invalid failover URI supplied, password can be present in log file
[ https://issues.apache.org/jira/browse/QPIDJMS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17722984#comment-17722984 ] Patrick Gell commented on QPIDJMS-588: -- Thanks for the fast reply. What should be the correct handling of such URL? Throw an IllegalArgumentException? I could have a look into it and provide a pull request for that. Best regards, Patrick > when invalid failover URI supplied, password can be present in log file > --- > > Key: QPIDJMS-588 > URL: https://issues.apache.org/jira/browse/QPIDJMS-588 > Project: Qpid JMS > Issue Type: Bug > Components: qpid-jms-client >Affects Versions: 2.2.0 > Environment: We are currently using Apache Qpid 2.2.0 >Reporter: Patrick Gell >Priority: Minor > Labels: password, security > > If I have a failover URL with `user:password` configured than the password is > logged in plain text. > {+}BrokerURL{+}: > failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672) > +Log extract:+ > 2023-05-15 13:04:42.484 INFO [localhost:5672]] > org.apache.qpid.jms.JmsConnection : Connection > ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server: > amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 > > Expected behaviour: > The password is masked in the log or an IllegalArgumentException is thrown > similar to the non failover URL: > amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a > ... > Caused by: java.lang.IllegalArgumentException: The supplied URI cannot > contain a User-Info section > at > org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406) > at > org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66) > ... 69 common frames omitted > -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPIDJMS-588) when invalid failover URI supplied, password can be present in log file
[ https://issues.apache.org/jira/browse/QPIDJMS-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17722786#comment-17722786 ] Robbie Gemmell commented on QPIDJMS-588: This presumably happens because the code in the ConnectionFactory which normally rejects the invalid presence of userinfo detail in the base URI, doesnt apply to failover URIs which are instead handled later by the failover provider to extract individual server details, which presumably isnt enforcing the same check for invalid presence of userinfo detail in the base URI. The later created Connection then doesnt anticipate userinfo being present in its base URI since it is not considered valid to be there in the client URI, and it then logs the base URI (first stripping the query, that might have had user detail props contained). For now: remove the invalid userinfo detail from your URI, it isnt being used from there anyway. > when invalid failover URI supplied, password can be present in log file > --- > > Key: QPIDJMS-588 > URL: https://issues.apache.org/jira/browse/QPIDJMS-588 > Project: Qpid JMS > Issue Type: Bug > Components: qpid-jms-client >Affects Versions: 2.2.0 > Environment: We are currently using Apache Qpid 2.2.0 >Reporter: Patrick Gell >Priority: Minor > Labels: password, security > > If I have a failover URL with `user:password` configured than the password is > logged in plain text. > {+}BrokerURL{+}: > failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672) > +Log extract:+ > 2023-05-15 13:04:42.484 INFO [localhost:5672]] > org.apache.qpid.jms.JmsConnection : Connection > ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server: > amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 > > Expected behaviour: > The password is masked in the log or an IllegalArgumentException is thrown > similar to the non failover URL: > amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a > ... > Caused by: java.lang.IllegalArgumentException: The supplied URI cannot > contain a User-Info section > at > org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406) > at > org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66) > ... 69 common frames omitted > -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org