-
Notifications
You must be signed in to change notification settings - Fork 38.8k
Closed
Closed
Copy link
Labels
in: webIssues in web modules (web, webmvc, webflux, websocket)Issues in web modules (web, webmvc, webflux, websocket)type: bugA general bugA general bug
Milestone
Description
Andy Wilkinson opened SPR-10868 and commented
Currently, if a Stomp CONNECT message is logged, the value of the passcode header is included in plain text:
[Payload=[B@64cc8785][Headers={timestamp=1377684178158, id=a980b638-cfd7-49e3-8995-9b9afe05cbfb, stompCommand=CONNECT, nativeHeaders={heart-beat=[0,0], passcode=[guest], login=[guest], accept-version=[1.1,1.0]}, sessionId=daxr3m_s, messageType=CONNECT, user=org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fac3d7c0: Principal: org.springframework.security.core.userdetails.User@bedc1860: Username: fabrice; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1crvqm5x1a4akn9p7a5p3lhtn; Granted Authorities: ROLE_USER}]
Rather than logging "passcode=[guest]
" we should follow Spring's security's lead and log "passcode=[PROTECTED]
" instead.
No further details from SPR-10868
Metadata
Metadata
Assignees
Labels
in: webIssues in web modules (web, webmvc, webflux, websocket)Issues in web modules (web, webmvc, webflux, websocket)type: bugA general bugA general bug