As discovered when writing org.hawkular.cmdgw.ws.test.CommandGatewayITest.testExecuteOperation() test, the messages sent by a feed are delivered unredacted to the UI - i.e. containing

authentication:{"username":"jdoe","password":"password"}

This is a clear security issue that could allow the UI to impersonate the feed.