Skip to content

Stomp passcode should not be included in plain text in log messages [SPR-10868] #15495

@spring-projects-issues

Description

@spring-projects-issues

Andy Wilkinson opened SPR-10868 and commented

Currently, if a Stomp CONNECT message is logged, the value of the passcode header is included in plain text:

[Payload=[B@64cc8785][Headers={timestamp=1377684178158, id=a980b638-cfd7-49e3-8995-9b9afe05cbfb, stompCommand=CONNECT, nativeHeaders={heart-beat=[0,0], passcode=[guest], login=[guest], accept-version=[1.1,1.0]}, sessionId=daxr3m_s, messageType=CONNECT, user=org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fac3d7c0: Principal: org.springframework.security.core.userdetails.User@bedc1860: Username: fabrice; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1crvqm5x1a4akn9p7a5p3lhtn; Granted Authorities: ROLE_USER}]

Rather than logging "passcode=[guest]" we should follow Spring's security's lead and log "passcode=[PROTECTED]" instead.


No further details from SPR-10868

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)type: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions