[
https://issues.apache.org/jira/browse/CXF-7070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15571669#comment-15571669
]
Sergey Beryozkin commented on CXF-7070:
---------------------------------------
What I meant was that some Authorization values will not expose anything at all
to the potential attackers, not all Authorization values are username and
password semi-clear combinations. Also if the client is running is pushing the
logs to the secure system (and perhaps some CXF users already do it right now)
then blocking it will be unexpected. However, I guess we can indeed block them
by default as per Andy's patch, but the property needs to be introduced to let
users to keep the current behaviour in place
> HTTP headers logged in debug
> ----------------------------
>
> Key: CXF-7070
> URL: https://issues.apache.org/jira/browse/CXF-7070
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Reporter: Fadi Mohsen
>
> We try to avoid logging of authorization header value in out/in requests, we
> filtered out these in interceptors, but turns out these are logged anyway in
> [CXF debug mode|
> https://github.com/apache/cxf/blob/120d20f47022a76970ff0fb9c9d7413cfe019eb2/rt/transports/http/src/main/java/org/apache/cxf/transport/http/Headers.java#L436]:
> {code}
> if (LOG.isLoggable(Level.FINE)) {
> LOG.log(Level.FINE, "Request Headers: " + headers.toString());
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
