activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kamal (JIRA)" <j...@apache.org>
Subject [jira] Updated: (AMQ-2858) ConnectionInfo does not override toString to stop logging actual Password in case of Warning.
Date Wed, 13 Oct 2010 00:14:40 GMT

     [ https://issues.apache.org/activemq/browse/AMQ-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kamal updated AMQ-2858:
-----------------------

    Description: 
In case of exception as shown below, the ConnectionInfo logged as warning which logs Password
in plain Text. Should have encrypted or log as XXXX or YYYY ... 

If ConnectionInfo override the BaseCommand's toString(Map<String, Object>overrideFields)
method and set Password as XXXXX... this would be better handled. 

WARN  org.apache.activemq.broker.TransportConnection.Service [ActiveMQ Transport Stopper:
/134.42.197.187:2512] - Failed to remove connection ConnectionInfo {commandId = 1, responseRequired
= true, connectionId = 4a6df719-b8ed-4431-a97f-52b93078f021, clientId = 2061e6c0-f8e0-4882-860c-89c3fd7e36db,
userName = YYYYX *password = X2342$*, brokerPath = null, brokerMasterConnector = false, manageable
= false, clientMaster = true}
java.lang.SecurityException: User is not authenticated.
	at org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
	at org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:149)
	at org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:425)
	at org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
	at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:439)
	at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:369)
	at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:364)
	at org.apache.activemq.advisory.AdvisoryBroker.removeConnection(AdvisoryBroker.java:223)
	at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
	at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
	at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
	at org.apache.activemq.broker.MutableBrokerFilter.removeConnection(MutableBrokerFilter.java:117)
	at org.apache.activemq.broker.TransportConnection.processRemoveConnection(TransportConnection.java:709)
	at org.apache.activemq.broker.TransportConnection.doStop(TransportConnection.java:976)
	at org.apache.activemq.broker.jmx.ManagedTransportConnection.doStop(ManagedTransportConnection.java:71)
	at org.apache.activemq.broker.TransportConnection$3.run(TransportConnection.java:907)


  was:

In case of exception as shown below, the ConnectionInfo logged as warning which logs Password
in plain Text. Should have encrypted or log as XXXX or YYYY ... 

If ConnectionInfo override the BaseCommand's toString(Map<String, Object>overrideFields)
method and set Password as XXXXX... this would be better handled. 

WARN  org.apache.activemq.broker.TransportConnection.Service [ActiveMQ Transport Stopper:
/134.42.197.187:2512] - Failed to remove connection ConnectionInfo {commandId = 1, responseRequired
= true, connectionId = 4a6df719-b8ed-4431-a97f-52b93078f021, clientId = 2061e6c0-f8e0-4882-860c-89c3fd7e36db,
userName = YYYYX *password = X2342$*, brokerPath = null, brokerMasterConnector = false, manageable
= false, clientMaster = true}
java.lang.SecurityException: User is not authenticated.
	at org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
	at org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:149)
	at org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:425)
	at org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
	at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:439)
	at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:369)
	at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:364)
	at org.apache.activemq.advisory.AdvisoryBroker.removeConnection(AdvisoryBroker.java:223)
	at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
	at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
	at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
	at org.apache.activemq.broker.MutableBrokerFilter.removeConnection(MutableBrokerFilter.java:117)
	at org.apache.activemq.broker.TransportConnection.processRemoveConnection(TransportConnection.java:709)
	at org.apache.activemq.broker.TransportConnection.doStop(TransportConnection.java:976)
	at org.apache.activemq.broker.jmx.ManagedTransportConnection.doStop(ManagedTransportConnection.java:71)
	at org.apache.activemq.broker.TransportConnection$3.run(TransportConnection.java:907)



This is different than https://issues.apache.org/activemq/browse/AMQ-2499

The exception is logged at WARN level with password in plain text. 



> ConnectionInfo does not override toString to stop logging actual Password in case of
Warning. 
> ----------------------------------------------------------------------------------------------
>
>                 Key: AMQ-2858
>                 URL: https://issues.apache.org/activemq/browse/AMQ-2858
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.3.0
>         Environment: Linux
>            Reporter: Kamal
>            Priority: Critical
>
> In case of exception as shown below, the ConnectionInfo logged as warning which logs
Password in plain Text. Should have encrypted or log as XXXX or YYYY ... 
> If ConnectionInfo override the BaseCommand's toString(Map<String, Object>overrideFields)
method and set Password as XXXXX... this would be better handled. 
> WARN  org.apache.activemq.broker.TransportConnection.Service [ActiveMQ Transport Stopper:
/134.42.197.187:2512] - Failed to remove connection ConnectionInfo {commandId = 1, responseRequired
= true, connectionId = 4a6df719-b8ed-4431-a97f-52b93078f021, clientId = 2061e6c0-f8e0-4882-860c-89c3fd7e36db,
userName = YYYYX *password = X2342$*, brokerPath = null, brokerMasterConnector = false, manageable
= false, clientMaster = true}
> java.lang.SecurityException: User is not authenticated.
> 	at org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
> 	at org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:149)
> 	at org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:425)
> 	at org.apache.activemq.broker.TransactionBroker.send(TransactionBroker.java:224)
> 	at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:439)
> 	at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:369)
> 	at org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:364)
> 	at org.apache.activemq.advisory.AdvisoryBroker.removeConnection(AdvisoryBroker.java:223)
> 	at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
> 	at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
> 	at org.apache.activemq.broker.BrokerFilter.removeConnection(BrokerFilter.java:110)
> 	at org.apache.activemq.broker.MutableBrokerFilter.removeConnection(MutableBrokerFilter.java:117)
> 	at org.apache.activemq.broker.TransportConnection.processRemoveConnection(TransportConnection.java:709)
> 	at org.apache.activemq.broker.TransportConnection.doStop(TransportConnection.java:976)
> 	at org.apache.activemq.broker.jmx.ManagedTransportConnection.doStop(ManagedTransportConnection.java:71)
> 	at org.apache.activemq.broker.TransportConnection$3.run(TransportConnection.java:907)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message