[jira] [Commented] (CXF-7070) HTTP headers logged in debug
[
https://issues.apache.org/jira/browse/CXF-7070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15571736#comment-15571736
]
Sergey Beryozkin commented on CXF-7070:
---
Andy, thanks for the patch, as mentioned earlier I added a property which would
allow users to log the values of theses headers if preferred - this property is
disabled by default at the moment
Cheers, Sergey
> HTTP headers logged in debug
>
>
> Key: CXF-7070
> URL: https://issues.apache.org/jira/browse/CXF-7070
> Project: CXF
> Issue Type: Bug
> Components: Transports
>Reporter: Fadi Mohsen
> Fix For: 3.2.0, 3.1.8, 3.0.11
>
>
> We try to avoid logging of authorization header value in out/in requests, we
> filtered out these in interceptors, but turns out these are logged anyway in
> [CXF debug mode|
> https://github.com/apache/cxf/blob/120d20f47022a76970ff0fb9c9d7413cfe019eb2/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Headers.java#L436]:
> {code}
> if (LOG.isLoggable(Level.FINE)) {
> LOG.log(Level.FINE, "Request Headers: " + headers.toString());
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (CXF-7070) HTTP headers logged in debug
[
https://issues.apache.org/jira/browse/CXF-7070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15571693#comment-15571693
]
ASF GitHub Bot commented on CXF-7070:
-
Github user asfgit closed the pull request at:
https://github.com/apache/cxf/pull/178
> HTTP headers logged in debug
>
>
> Key: CXF-7070
> URL: https://issues.apache.org/jira/browse/CXF-7070
> Project: CXF
> Issue Type: Bug
> Components: Transports
>Reporter: Fadi Mohsen
>
> We try to avoid logging of authorization header value in out/in requests, we
> filtered out these in interceptors, but turns out these are logged anyway in
> [CXF debug mode|
> https://github.com/apache/cxf/blob/120d20f47022a76970ff0fb9c9d7413cfe019eb2/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Headers.java#L436]:
> {code}
> if (LOG.isLoggable(Level.FINE)) {
> LOG.log(Level.FINE, "Request Headers: " + headers.toString());
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (CXF-7070) HTTP headers logged in debug
[
https://issues.apache.org/jira/browse/CXF-7070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15571669#comment-15571669
]
Sergey Beryozkin commented on CXF-7070:
---
What I meant was that some Authorization values will not expose anything at all
to the potential attackers, not all Authorization values are username and
password semi-clear combinations. Also if the client is running is pushing the
logs to the secure system (and perhaps some CXF users already do it right now)
then blocking it will be unexpected. However, I guess we can indeed block them
by default as per Andy's patch, but the property needs to be introduced to let
users to keep the current behaviour in place
> HTTP headers logged in debug
>
>
> Key: CXF-7070
> URL: https://issues.apache.org/jira/browse/CXF-7070
> Project: CXF
> Issue Type: Bug
> Components: Transports
>Reporter: Fadi Mohsen
>
> We try to avoid logging of authorization header value in out/in requests, we
> filtered out these in interceptors, but turns out these are logged anyway in
> [CXF debug mode|
> https://github.com/apache/cxf/blob/120d20f47022a76970ff0fb9c9d7413cfe019eb2/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Headers.java#L436]:
> {code}
> if (LOG.isLoggable(Level.FINE)) {
> LOG.log(Level.FINE, "Request Headers: " + headers.toString());
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (CXF-7070) HTTP headers logged in debug
[
https://issues.apache.org/jira/browse/CXF-7070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15569949#comment-15569949
]
S V Mohana Rao commented on CXF-7070:
-
But with respective security is it okay to pass sensitive data through header?
> HTTP headers logged in debug
>
>
> Key: CXF-7070
> URL: https://issues.apache.org/jira/browse/CXF-7070
> Project: CXF
> Issue Type: Bug
> Components: Transports
>Reporter: Fadi Mohsen
>
> We try to avoid logging of authorization header value in out/in requests, we
> filtered out these in interceptors, but turns out these are logged anyway in
> [CXF debug mode|
> https://github.com/apache/cxf/blob/120d20f47022a76970ff0fb9c9d7413cfe019eb2/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Headers.java#L436]:
> {code}
> if (LOG.isLoggable(Level.FINE)) {
> LOG.log(Level.FINE, "Request Headers: " + headers.toString());
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (CXF-7070) HTTP headers logged in debug
[
https://issues.apache.org/jira/browse/CXF-7070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15569098#comment-15569098
]
ASF GitHub Bot commented on CXF-7070:
-
GitHub user andymc12 opened a pull request:
https://github.com/apache/cxf/pull/178
CXF-7070 - Avoid logging sensitive headers
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/andymc12/cxf headers
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cxf/pull/178.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #178
> HTTP headers logged in debug
>
>
> Key: CXF-7070
> URL: https://issues.apache.org/jira/browse/CXF-7070
> Project: CXF
> Issue Type: Bug
> Components: Transports
>Reporter: Fadi Mohsen
>
> We try to avoid logging of authorization header value in out/in requests, we
> filtered out these in interceptors, but turns out these are logged anyway in
> [CXF debug mode|
> https://github.com/apache/cxf/blob/120d20f47022a76970ff0fb9c9d7413cfe019eb2/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Headers.java#L436]:
> {code}
> if (LOG.isLoggable(Level.FINE)) {
> LOG.log(Level.FINE, "Request Headers: " + headers.toString());
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (CXF-7070) HTTP headers logged in debug
[
https://issues.apache.org/jira/browse/CXF-7070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15564981#comment-15564981
]
Sergey Beryozkin commented on CXF-7070:
---
Sure, some headers can be considered sensitive - however completely filtering
them out will lose the log record of what the the actual Authorization/etc
values were. For example, if it is OAuth2 Bearer token which is either
encrypted or is a simple DB pointer then dropping it completely from the log
record is not ideal, similarly to the case where the logs are pushed to the
secure file system/etc.
If losing the log records of such values is what is actually needed then it has
to be done optionally IMHO (ex, if a given message or bus property is set).
> HTTP headers logged in debug
>
>
> Key: CXF-7070
> URL: https://issues.apache.org/jira/browse/CXF-7070
> Project: CXF
> Issue Type: Bug
> Components: Transports
>Reporter: Fadi Mohsen
>
> We try to avoid logging of authorization header value in out/in requests, we
> filtered out these in interceptors, but turns out these are logged anyway in
> [CXF debug mode|
> https://github.com/apache/cxf/blob/120d20f47022a76970ff0fb9c9d7413cfe019eb2/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Headers.java#L436]:
> {code}
> if (LOG.isLoggable(Level.FINE)) {
> LOG.log(Level.FINE, "Request Headers: " + headers.toString());
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
