Description
In AuthPolicyValidatingInterceptor when a policy has no username, password can end up in log file.
public void handleMessage(Message message) throws Fault { AuthorizationPolicy policy = message.get(AuthorizationPolicy.class); if (policy == null || policy.getUserName() == null || policy.getPassword() == null) { String name = null; String password = null; if (policy != null) { name = policy.getUserName(); password = policy.getPassword(); } org.apache.cxf.common.i18n.Message errorMsg = new org.apache.cxf.common.i18n.Message("NO_USER_PASSWORD", BUNDLE, name, password); LOG.warning(errorMsg.toString()); throw new SecurityException(errorMsg.toString()); }