Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-6977

JBoss EAP exposes user password as clear text if log level is set to trace.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Major Major
    • TBD EAP 5
    • EAP_EWP 5.1.1
    • None
    • None
    • JBoss EAP 5.1.1 with HornetQ

    • Hide

      none

      Show
      none
    • NEW

      When log level is set to TRACE JBoss EAP will out put user password as clear text when the password is specified as annotation on a MDB

      For example if a MDB is annotated with following properties:
      @ActivationConfigProperty(propertyName = "user", propertyValue = "mdbone"),
      @ActivationConfigProperty(propertyName = "password", propertyValue = "mdbone"),

      The log will containing the following entry with password.
      2011-08-08 12:25:37,238 TRACE [org.hornetq.ra.HornetQResourceAdapter] (main) endpointActivation(org.jboss.ejb3.mdb.inflow.JBossMessageEndpointFactory@34f2d11a

      { resourceAdapter=jms-remote-ra.rar, messagingType=interface javax.jms.MessageListener, ejbName=mdbOne, activationConfig=[ActivationConfigProperty(ConnectionParameters=host=mars;port=5545,host=mars;port=5645), ActivationConfigProperty(minSession=3), ActivationConfigProperty(subscriptionDurability=Durable), ActivationConfigProperty(clientID=mdbone), ActivationConfigProperty(useDLQ=false), ActivationConfigProperty(password=mdbone), ActivationConfigProperty(hA=true), ActivationConfigProperty(destination=/topic/topicOne), ActivationConfigProperty(destinationType=javax.jms.Topic), ActivationConfigProperty(reconnectInterval=20000), ActivationConfigProperty(maxSession=7), ActivationConfigProperty(jndiParams=java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory;java.naming.provider.url=jnp://mars:1199,mars:1299;java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces), ActivationConfigProperty(reconnectAttempts=2500), ActivationConfigProperty(user=mdbone), ActivationConfigProperty(ConnectorClassName=org.hornetq.core.remoting.impl.netty.NettyConnectorFactory), ActivationConfigProperty(subscriptionName=mdbOne)], activationSpec=org.hornetq.ra.inflow.HornetQActivationSpec(ra=org.hornetq.ra.HornetQResourceAdapter@4964394e destination=/topic/topicOne destinationType=javax.jms.Topic ack=Auto-acknowledge durable=true clientID=mdbone subscription=mdbOne user=mdbone password=**** maxSession=7)}

      , org.hornetq.ra.inflow.HornetQActivationSpec(ra=org.hornetq.ra.HornetQResourceAdapter@4964394e destination=/topic/topicOne destinationType=javax.jms.Topic ack=Auto-acknowledge durable=true clientID=mdbone subscription=mdbOne user=mdbone password=**** maxSession=7))

      I suspect that this is done in the toString method on JBossMessageEndpointFactory class. This method will output all activation config properties with its values including password.

      public String toString()
      {
      StringBuffer buffer = new StringBuffer(100);
      buffer.append(super.toString());
      buffer.append("

      { resourceAdapter=").append(resourceAdapterObjectName); buffer.append(", messagingType=").append(messagingTypeClass.getName()); buffer.append(", ejbName=").append(container.getBeanMetaData().getContainerObjectNameJndiName()); buffer.append(", activationConfig=").append(properties.values()); buffer.append(", activationSpec=").append(activationSpec); buffer.append("}

      ");
      return buffer.toString();
      }

            rhn-support-toross Tom Ross
            rhn-support-toross Tom Ross
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: