[
https://issues.apache.org/jira/browse/CXF-9070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17892769#comment-17892769
]
Dmytro Sylaiev commented on CXF-9070:
-------------------------------------
Hello [~reta]
Thanks for your suggestion, I'll try it. In the same time, can we consider
HTTPConduit print to debug log POST method parameters as a part of URL?
Is it possible for LoggingFeature to intercept the log messages from
HTTPConduit as well?
> CXF LoggingFeature still logging sensitive content
> ---------------------------------------------------
>
> Key: CXF-9070
> URL: https://issues.apache.org/jira/browse/CXF-9070
> Project: CXF
> Issue Type: Bug
> Reporter: Dmytro Sylaiev
> Priority: Major
>
> I was trying to enable the LoggingFeature for my cxf client to hide some info
> in log.debug:
> Here's my code to create a WebClient and invoke the request:
> {noformat}
> LoggingFeature loggingFeature = new LoggingFeature();
> final Slf4jEventSender sender = new Slf4jEventSender();
> loggingFeature.setSender(sender);
> Set<String> secrets = new HashSet<>();
> secrets.add("access_token");
> secrets.add("client_secret");
> loggingFeature.setSensitiveElementNames(secrets);
> loggingFeature.setSensitiveProtocolHeaderNames(secrets);
> this.webClient = WebClient.create(url, Collections.emptyList(),
> Collections.singletonList(loggingFeature), null);
> ...
> webClient.invoke(...){noformat}
> My HTTP client flow is: I am requesting GET localhost/oauth/form/token form
> query using client id and client secret and parsing the response metadata to
> get the oauth2 token and then set this token to the Authorization header to
> the main request and then send GET localhost/oauth/resource
> Despite the logging feature is now active and present in the classpath&I see
> it's handling logs there's still sensitive information in logs:
> {noformat}
> [DEBUG] 16:46:08 org.apache.cxf.transport.http.HTTPConduit- Conduit
> "{http://localhost:8080/oauth/client_credentials/form/token}WebClient.http-conduit";
> Transmit cached message to:
> http://localhost:8080/oauth/client_credentials/form/token:
> grant_type=client_credentials&client_id=1234567890&client_secret=SECRET1234567890SECRET
> ...
> [INFO ] 16:46:09 org.apache.cxf.services.WebClient.RESP_IN- {
> "access_token": "a-valide-token",
> "token_type": "Bearer",
> "expires_in": 5000
> }{noformat}
> Maybe I am misusing the LoggingFeature configuration but I did some debug and
> not sure it can be used to hide sensitive information in URL request (to hide
> HTTPConduit log) and in the response payload
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
