Daniel created CXF-8691:
---------------------------
Summary: Logging Feature - Sensitive element with arrays
Key: CXF-8691
URL: https://issues.apache.org/jira/browse/CXF-8691
Project: CXF
Issue Type: Bug
Components: JAX-RS
Environment: Tested with 3.4.0 as well as 3.5.1
Reporter: Daniel
Hi,
I am trying to use the LoggingFeature within cxf-rt and hide sensitive element
names.
The code I use looks like the following:
{code:java}
LoggingFeature loggingFeature = new LoggingFeature();
loggingFeature.setLogBinary(false);
loggingFeature.setPrettyLogging(true);
loggingFeature.setLogMultipart(false);
loggingFeature.addSensitiveElementNames(new
HashSet<>(Arrays.asList("password")));
{code}
Payload:
{code:java}
private final String shortName;
private final char[] password;
{code}
Output:
{code:java}
[services.ObaWebservicePort.REQ_OUT] INFO - REQ_OUT
Address: http://<some-url>
HttpMethod: POST
Content-Type: application/json
ExchangeId: 560b73ae-e7e0-4687-9674-19ee72995a08
Headers: {Accept=text/plain, Accept-Encoding=gzip;q=1.0, identity; q=0.5,
*;q=0, Content-Type=application/json}
Payload:
{"shortName":"UserName","password":["G","e","h","e","i","m","1","2","3","!"]}
{code}
As you can see, my password is not hidden in the output of the payload. It is
important to mention, that the field "password" in my code is declared as a
char-array.
However, if I add "shortName" to the sensetiveElementNames, everything works as
expected. The shortName is hidden (XXX), due to it beeing declared as a String.
I looked at the source code an tracked the problem down to a regex. "password"
is not found, as the value is an array (MarkSensetiveHelper.java)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
