[jira] [Created] (CXF-9070) CXF LoggingFeature still logging sensitive content

Thu, 17 Oct 2024 07:49:14 -0700 

Dmytro Sylaiev created CXF-9070:
-----------------------------------

             Summary: CXF LoggingFeature still logging sensitive content 
                 Key: CXF-9070
                 URL: https://issues.apache.org/jira/browse/CXF-9070
             Project: CXF
          Issue Type: Bug
            Reporter: Dmytro Sylaiev


I was trying to enable the LoggingFeature for my cxf client to hide some info 
in log.debug:

Here's my code to create a WebClient and invoke the request:
{noformat}
LoggingFeature loggingFeature = new LoggingFeature();

final Slf4jEventSender sender = new Slf4jEventSender();
loggingFeature.setSender(sender);

Set<String> secrets = new HashSet<>();
secrets.add("access_token");
secrets.add("client_secret");
loggingFeature.setSensitiveElementNames(secrets);
loggingFeature.setSensitiveProtocolHeaderNames(secrets);

this.webClient = WebClient.create(url, Collections.emptyList(), 
Collections.singletonList(loggingFeature), null);

...
webClient.invoke(...){noformat}
My HTTP client flow is: I am requesting GET localhost/oauth/form/token form 
query using client id and client secret and parsing the response metadata to 
get the oauth2 token and then set this token to the Authorization header to the 
main request and then send GET localhost/oauth/resource

Despite the logging feature is now active and present in the classpath&I see 
it's handling logs there's still sensitive information in logs:
{noformat}
[DEBUG] 16:46:08 org.apache.cxf.transport.http.HTTPConduit- Conduit 
"{http://localhost:8080/oauth/client_credentials/form/token}WebClient.http-conduit";
 Transmit cached message to: 
http://localhost:8080/oauth/client_credentials/form/token: 
grant_type=client_credentials&client_id=1234567890&client_secret=SECRET1234567890SECRET
...
[INFO ] 16:46:09 org.apache.cxf.services.WebClient.RESP_IN- {
  "access_token": "a-valide-token",
  "token_type": "Bearer",
  "expires_in": 5000
}{noformat}
Maybe I am misusing the LoggingFeature configuration but I did some debug and 
not sure it can be used to hide sensitive information in URL request (to hide 
HTTPConduit log) and in the response payload

 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to