openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Dick (JIRA)" <j...@apache.org>
Subject [jira] Commented: (OPENJPA-1678) SQL Parameter values may contain sensitive information and should not be logged by default.
Date Wed, 02 Jun 2010 18:53:42 GMT

    [ https://issues.apache.org/jira/browse/OPENJPA-1678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12874739#action_12874739
] 

Michael Dick commented on OPENJPA-1678:
---------------------------------------

I thought about that too. The problem is that it isn't just logging that we're concerned with
- we need to alter the toString on LoggingConnectionDecorator.LoggingPreparedStatement (from
memory) LoggingConnectionDecorator is already aware of some of this - there's a trackParameters
property which does similar things - but it's not quite what we need here.. 

What I hadn't considered (until now) is skipping the LoggingConnectionDecorator unless this
property is enabled. That might work - not sure offhand what it would do to the rest of SQL
or JDBC logging though. 

> SQL Parameter values may contain sensitive information and should not be logged by default.
> -------------------------------------------------------------------------------------------
>
>                 Key: OPENJPA-1678
>                 URL: https://issues.apache.org/jira/browse/OPENJPA-1678
>             Project: OpenJPA
>          Issue Type: Bug
>    Affects Versions: 1.0.3, 1.1.0, 1.2.2, 2.0.0, 2.1.0
>            Reporter: Michael Dick
>            Assignee: Michael Dick
>             Fix For: 1.0.4, 1.2.3, 2.0.1, 2.1.0
>
>
> The values for parameters used in our SQL statements may contain sensitive information
(e.g. social security numbers). By default these values are printed in the exception message
and in SQL trace. Having the values printed can be a great help when debugging an application
- but presents a risk when used in production. 
> To resolve the issue I propose to disable printing the parameter values by default. The
parameter values will still be tracked internally - but will not be displayed in exception
messages or trace unless the following property is set :
> <property name="openjpa.ConnectionFactoryProperties" value="printParameters=true"/>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message