[
https://issues.apache.org/jira/browse/CXF-7070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15564981#comment-15564981
]
Sergey Beryozkin commented on CXF-7070:
---------------------------------------
Sure, some headers can be considered sensitive - however completely filtering
them out will lose the log record of what the the actual Authorization/etc
values were. For example, if it is OAuth2 Bearer token which is either
encrypted or is a simple DB pointer then dropping it completely from the log
record is not ideal, similarly to the case where the logs are pushed to the
secure file system/etc.
If losing the log records of such values is what is actually needed then it has
to be done optionally IMHO (ex, if a given message or bus property is set).
> HTTP headers logged in debug
> ----------------------------
>
> Key: CXF-7070
> URL: https://issues.apache.org/jira/browse/CXF-7070
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Reporter: Fadi Mohsen
>
> We try to avoid logging of authorization header value in out/in requests, we
> filtered out these in interceptors, but turns out these are logged anyway in
> [CXF debug mode|
> https://github.com/apache/cxf/blob/120d20f47022a76970ff0fb9c9d7413cfe019eb2/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Headers.java#L436]:
> {code}
> if (LOG.isLoggable(Level.FINE)) {
> LOG.log(Level.FINE, "Request Headers: " + headers.toString());
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
