cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-7070) HTTP headers logged in debug
Date Thu, 13 Oct 2016 11:41:20 GMT

    [ https://issues.apache.org/jira/browse/CXF-7070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15571669#comment-15571669
] 

Sergey Beryozkin commented on CXF-7070:
---------------------------------------

What I meant was that some Authorization values will not expose anything at all to the potential
attackers, not all Authorization values are username and password semi-clear combinations.
Also if the client is running is pushing the logs to the secure system (and perhaps some CXF
users already do it right now) then blocking it will be unexpected. However, I guess we can
indeed block them by default as per Andy's patch, but the property needs to be introduced
to let users to keep the current behaviour in place

> HTTP headers logged in debug
> ----------------------------
>
>                 Key: CXF-7070
>                 URL: https://issues.apache.org/jira/browse/CXF-7070
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>            Reporter: Fadi Mohsen
>
> We try to avoid logging of authorization header value in out/in requests, we filtered
out these in interceptors, but turns out these are logged anyway in [CXF debug mode| https://github.com/apache/cxf/blob/120d20f47022a76970ff0fb9c9d7413cfe019eb2/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Headers.java#L436]:
> {code}
>         if (LOG.isLoggable(Level.FINE)) {
>             LOG.log(Level.FINE, "Request Headers: " + headers.toString());
>         }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message