[
https://issues.apache.org/jira/browse/CXF-9070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17891774#comment-17891774
]
Dmytro Sylaiev edited comment on CXF-9070 at 10/22/24 8:31 AM:
---------------------------------------------------------------
Hello [~reta] I see what you mean, thank you, I'll double check if token
endpoint returns Content-Type header.
But also it doesn't mask the sensitive content in the URL parameters in the
HTTPConduit log record:
{quote}[DEBUG] 16:46:08 org.apache.cxf.transport.http.HTTPConduit- Conduit
"WebClient.http-conduit" Transmit cached message to:
[http://localhost:8080/oauth/client_credentials/form/token:]
grant_type=client_credentials&client_id=1234567890&client_secret={*}SECRET1234567890SECRET{*}
{quote}
Is it possible to configure logging feature to mask it? The documentation is
not very explicit for it
was (Author: dsylaiev):
Hello [~reta] I see what you mean, thank you, I'll double check if token
endpoint returns Content-Type header.
But also it doesn't mask the sensitive content in the URL parameters in the
HTTPConduit log record:
{quote}[DEBUG] 16:46:08 org.apache.cxf.transport.http.HTTPConduit- Conduit
"{[http://localhost:8080/oauth/client_credentials/form/token]}WebClient.http-conduit";
Transmit cached message to:
[http://localhost:8080/oauth/client_credentials/form/token:]
grant_type=client_credentials&client_id=1234567890&client_secret={*}SECRET1234567890SECRET{*}
{quote}
Is it possible to configure logging feature to mask it? The documentation is
not very explicit for it
> CXF LoggingFeature still logging sensitive content
> ---------------------------------------------------
>
> Key: CXF-9070
> URL: https://issues.apache.org/jira/browse/CXF-9070
> Project: CXF
> Issue Type: Bug
> Reporter: Dmytro Sylaiev
> Priority: Major
>
> I was trying to enable the LoggingFeature for my cxf client to hide some info
> in log.debug:
> Here's my code to create a WebClient and invoke the request:
> {noformat}
> LoggingFeature loggingFeature = new LoggingFeature();
> final Slf4jEventSender sender = new Slf4jEventSender();
> loggingFeature.setSender(sender);
> Set<String> secrets = new HashSet<>();
> secrets.add("access_token");
> secrets.add("client_secret");
> loggingFeature.setSensitiveElementNames(secrets);
> loggingFeature.setSensitiveProtocolHeaderNames(secrets);
> this.webClient = WebClient.create(url, Collections.emptyList(),
> Collections.singletonList(loggingFeature), null);
> ...
> webClient.invoke(...){noformat}
> My HTTP client flow is: I am requesting GET localhost/oauth/form/token form
> query using client id and client secret and parsing the response metadata to
> get the oauth2 token and then set this token to the Authorization header to
> the main request and then send GET localhost/oauth/resource
> Despite the logging feature is now active and present in the classpath&I see
> it's handling logs there's still sensitive information in logs:
> {noformat}
> [DEBUG] 16:46:08 org.apache.cxf.transport.http.HTTPConduit- Conduit
> "{http://localhost:8080/oauth/client_credentials/form/token}WebClient.http-conduit";
> Transmit cached message to:
> http://localhost:8080/oauth/client_credentials/form/token:
> grant_type=client_credentials&client_id=1234567890&client_secret=SECRET1234567890SECRET
> ...
> [INFO ] 16:46:09 org.apache.cxf.services.WebClient.RESP_IN- {
> "access_token": "a-valide-token",
> "token_type": "Bearer",
> "expires_in": 5000
> }{noformat}
> Maybe I am misusing the LoggingFeature configuration but I did some debug and
> not sure it can be used to hide sensitive information in URL request (to hide
> HTTPConduit log) and in the response payload
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
