Return-Path: Delivered-To: apmail-openjpa-dev-archive@www.apache.org Received: (qmail 93026 invoked from network); 4 Jun 2010 14:39:16 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 4 Jun 2010 14:39:16 -0000 Received: (qmail 73839 invoked by uid 500); 4 Jun 2010 14:39:16 -0000 Delivered-To: apmail-openjpa-dev-archive@openjpa.apache.org Received: (qmail 73794 invoked by uid 500); 4 Jun 2010 14:39:15 -0000 Mailing-List: contact dev-help@openjpa.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@openjpa.apache.org Delivered-To: mailing list dev@openjpa.apache.org Received: (qmail 73786 invoked by uid 99); 4 Jun 2010 14:39:15 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Jun 2010 14:39:15 +0000 X-ASF-Spam-Status: No, hits=-1497.8 required=10.0 tests=ALL_TRUSTED,AWL X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Jun 2010 14:39:14 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o54EcsZW013375 for ; Fri, 4 Jun 2010 14:38:54 GMT Message-ID: <6782330.183041275662334120.JavaMail.jira@thor> Date: Fri, 4 Jun 2010 10:38:54 -0400 (EDT) From: "Michael Dick (JIRA)" To: dev@openjpa.apache.org Subject: [jira] Commented: (OPENJPA-1678) SQL Parameter values may contain sensitive information and should not be logged by default. In-Reply-To: <17391932.134561275496596201.JavaMail.jira@thor> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OPENJPA-1678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12875613#action_12875613 ] Michael Dick commented on OPENJPA-1678: --------------------------------------- Hi Pinaki, I think this is orthogonal to the level of tracing used. While it's often useful in conjunction with other tracing the two should not be tied together. You should be able to see parameters in your exception text (if you so desire) without enabling logging for example. I'm not entirely sold on introducing a new log level in service either. For the time being I'm going to treat this as a bug with openjpa.ConnectionFactoryProperties.TrackParameters and fix it that way (the cfProps patch). > SQL Parameter values may contain sensitive information and should not be logged by default. > ------------------------------------------------------------------------------------------- > > Key: OPENJPA-1678 > URL: https://issues.apache.org/jira/browse/OPENJPA-1678 > Project: OpenJPA > Issue Type: Bug > Affects Versions: 1.0.3, 1.1.0, 1.2.2, 2.0.0, 2.1.0 > Reporter: Michael Dick > Assignee: Michael Dick > Fix For: 1.0.4, 1.2.3, 2.0.1, 2.1.0 > > Attachments: OPENJPA-1678-openjpa.CFProps.1.2.x.patch.txt, OPENJPA-1678-openjpa.Log.1.2.x.patch.txt > > > The values for parameters used in our SQL statements may contain sensitive information (e.g. social security numbers). By default these values are printed in the exception message and in SQL trace. Having the values printed can be a great help when debugging an application - but presents a risk when used in production. > To resolve the issue I propose to disable printing the parameter values by default. The parameter values will still be tracked internally - but will not be displayed in exception messages or trace unless the following property is set : > -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.