Return-Path: 
 <issues-return-33086-apmail-cxf-issues-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-issues-archive@www.apache.org
Delivered-To: apmail-cxf-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 217DE17290
	for <apmail-cxf-issues-archive@www.apache.org>;
 Mon, 26 Jan 2015 14:07:36 +0000 (UTC)
Received: (qmail 25798 invoked by uid 500); 26 Jan 2015 14:07:35 -0000
Delivered-To: apmail-cxf-issues-archive@cxf.apache.org
Received: (qmail 25072 invoked by uid 500); 26 Jan 2015 14:07:35 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cxf.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cxf.apache.org>
List-Post: <mailto:issues@cxf.apache.org>
List-Id: <issues.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 24896 invoked by uid 99); 26 Jan 2015 14:07:35 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Jan 2015 14:07:35 +0000
Date: Mon, 26 Jan 2015 14:07:34 +0000 (UTC)
From: "Donald Kwakkel (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: <JIRA.12770089.1422281228000.172745.1422281254991@Atlassian.JIRA>
In-Reply-To: <JIRA.12770089.1422281228000@Atlassian.JIRA>
References: <JIRA.12770089.1422281228000@Atlassian.JIRA>
 <JIRA.12770089.1422281228049@arcas>
Subject: [jira] [Created] (CXF-6222) Password can end up in log file
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

Donald Kwakkel created CXF-6222:
-----------------------------------

             Summary: Password can end up in log file
                 Key: CXF-6222
                 URL: https://issues.apache.org/jira/browse/CXF-6222
             Project: CXF
          Issue Type: Bug
          Components: Core
            Reporter: Donald Kwakkel


In AuthPolicyValidatingInterceptor when a policy has no username, password can end up in log file. 

{code}
 public void handleMessage(Message message) throws Fault {

        AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
        if (policy == null || policy.getUserName() == null || policy.getPassword() == null) {
            String name = null;
            String password = null;
            if (policy != null) {
                name = policy.getUserName();
                password = policy.getPassword();
            }
            org.apache.cxf.common.i18n.Message errorMsg = 
                new org.apache.cxf.common.i18n.Message("NO_USER_PASSWORD", 
                                                       BUNDLE, 
                                                       name, password);
            LOG.warning(errorMsg.toString());
            throw new SecurityException(errorMsg.toString());
        }
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)