[CXF-8691] Logging Feature - Sensitive element with arrays - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 3.4.0, 3.5.1
Fix Version/s: 3.5.9, 4.0.5, 3.6.4
Component/s: JAX-RS
Labels:
- Logging

Estimated Complexity:
Unknown

Description

Hi,

I am trying to use the LoggingFeature within cxf-rt and hide sensitive element names.

The code I use looks like the following:

LoggingFeature loggingFeature = new LoggingFeature();
loggingFeature.setLogBinary(false);
loggingFeature.setPrettyLogging(true);
loggingFeature.setLogMultipart(false);
loggingFeature.addSensitiveElementNames(new HashSet<>(Arrays.asList("password")));

Payload:

private final String shortName;

private final char[] password;

Output:

[services.MyWebservicePort.REQ_OUT] INFO  - REQ_OUT
    Address: http://<some-url>
    HttpMethod: POST
    Content-Type: application/json
    ExchangeId: 560b73ae-e7e0-4687-9674-19ee72995a08
    Headers: {Accept=text/plain, Accept-Encoding=gzip;q=1.0, identity; q=0.5, *;q=0, Content-Type=application/json}
    Payload: {"shortName":"UserName","password":["G","e","h","e","i","m","1","2","3","!"]}

As you can see, my password is not hidden in the output of the payload. It is important to mention, that the field "password" in my code is declared as a char-array.

However, if I add "shortName" to the sensetiveElementNames, everything works as expected. The shortName is hidden (XXX), due to it beeing declared as a String.

I looked at the source code an tracked the problem down to a regex. "password" is not found, as the value is an array (MarkSensetiveHelper.java)

Attachments

Activity

People

Assignee:: Andriy Redko

Reporter:: Daniel

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 12/Apr/22 13:56

Updated:: 07/Mar/24 04:24