When log level is set to TRACE JBoss EAP will out put user password as clear text when the password is specified as annotation on a MDB
For example if a MDB is annotated with following properties:
@ActivationConfigProperty(propertyName = "user", propertyValue = "mdbone"),
@ActivationConfigProperty(propertyName = "password", propertyValue = "mdbone"),
The log will containing the following entry with password.
2011-08-08 12:25:37,238 TRACE [org.hornetq.ra.HornetQResourceAdapter] (main) endpointActivation(org.jboss.ejb3.mdb.inflow.JBossMessageEndpointFactory@34f2d11a
{ resourceAdapter=jms-remote-ra.rar, messagingType=interface javax.jms.MessageListener, ejbName=mdbOne, activationConfig=[ActivationConfigProperty(ConnectionParameters=host=mars;port=5545,host=mars;port=5645), ActivationConfigProperty(minSession=3), ActivationConfigProperty(subscriptionDurability=Durable), ActivationConfigProperty(clientID=mdbone), ActivationConfigProperty(useDLQ=false), ActivationConfigProperty(password=mdbone), ActivationConfigProperty(hA=true), ActivationConfigProperty(destination=/topic/topicOne), ActivationConfigProperty(destinationType=javax.jms.Topic), ActivationConfigProperty(reconnectInterval=20000), ActivationConfigProperty(maxSession=7), ActivationConfigProperty(jndiParams=java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory;java.naming.provider.url=jnp://mars:1199,mars:1299;java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces), ActivationConfigProperty(reconnectAttempts=2500), ActivationConfigProperty(user=mdbone), ActivationConfigProperty(ConnectorClassName=org.hornetq.core.remoting.impl.netty.NettyConnectorFactory), ActivationConfigProperty(subscriptionName=mdbOne)], activationSpec=org.hornetq.ra.inflow.HornetQActivationSpec(ra=org.hornetq.ra.HornetQResourceAdapter@4964394e destination=/topic/topicOne destinationType=javax.jms.Topic ack=Auto-acknowledge durable=true clientID=mdbone subscription=mdbOne user=mdbone password=**** maxSession=7)}
, org.hornetq.ra.inflow.HornetQActivationSpec(ra=org.hornetq.ra.HornetQResourceAdapter@4964394e destination=/topic/topicOne destinationType=javax.jms.Topic ack=Auto-acknowledge durable=true clientID=mdbone subscription=mdbOne user=mdbone password=**** maxSession=7))
I suspect that this is done in the toString method on JBossMessageEndpointFactory class. This method will output all activation config properties with its values including password.
public String toString()
{
StringBuffer buffer = new StringBuffer(100);
buffer.append(super.toString());
buffer.append("
{ resourceAdapter=").append(resourceAdapterObjectName);
buffer.append(", messagingType=").append(messagingTypeClass.getName());
buffer.append(", ejbName=").append(container.getBeanMetaData().getContainerObjectNameJndiName());
buffer.append(", activationConfig=").append(properties.values());
buffer.append(", activationSpec=").append(activationSpec);
buffer.append("}
");
return buffer.toString();
}