Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6222

Password can end up in log file

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 3.0.4, 2.7.15
    • Core
    • None
    • Unknown

    Description

      In AuthPolicyValidatingInterceptor when a policy has no username, password can end up in log file.

       public void handleMessage(Message message) throws Fault {
      
              AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
              if (policy == null || policy.getUserName() == null || policy.getPassword() == null) {
                  String name = null;
                  String password = null;
                  if (policy != null) {
                      name = policy.getUserName();
                      password = policy.getPassword();
                  }
                  org.apache.cxf.common.i18n.Message errorMsg = 
                      new org.apache.cxf.common.i18n.Message("NO_USER_PASSWORD", 
                                                             BUNDLE, 
                                                             name, password);
                  LOG.warning(errorMsg.toString());
                  throw new SecurityException(errorMsg.toString());
              }
      

      Attachments

        Activity

          People

            coheigea Colm O hEigeartaigh
            dkwakkel Donald Kwakkel
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: