Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8563

Authorization header logged may contain sensitive data

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Won't Fix
    • 3.2.14
    • None
    • Services
    • None
    • Unknown

    Description

      Logging the category org.apache.cxf.services on INFO level may leak personal user passwords (similar to CXF-7070 - HTTP headers logged in debug ). When users are authenticating to a SOAP web service, the full request is logged, including the 'Authorization' header. 

      Example: Authorization=[Basic Y29kZW5vdGZvdW5kOnA0NTV3MHJk]

      Address: http://localhost:9090/codenotfound/ws/ticketagent
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml; charset=UTF-8
Headers: {Accept=[*/*], Authorization=[Basic Y29kZW5vdGZvdW5kOnA0NTV3MHJk], cache-control=[no-cache], connection=[keep-alive], Content-Length=[181], content-type=[text/xml; charset=UTF-8], host=[localhost:9090], pragma=[no-cache], SOAPAction=[""], user-agent=[Apache-CXF/3.2.14]}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:listFlightsRequest xmlns:ns2="http://example.org/TicketAgent.xsd"/></soap:Body></soap:Envelope>

      Attachments

        Activity

          People

            Unassigned Unassigned
            Noworzyn Marcin Noworzyn
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: