Camel outputs sensitive date in logs when log level is set to DEBUG

Solution Verified - Updated -

Issue

  • The class org.apache.camel.util.IntrospectionSupport.java logs every property set on a component or an endpoint when the debug log level is turned on, including potential sensitive data.

For example, if you have a simple route like below,

  from("sftp://vgohel@IP_ADDRESS/testCamelDir?password=hello").to("log:myLog?showHeaders=true");

then turning on the DEBUG logging for org.apcahe.camel using log4j.properties or even setting the logger category in pax-logging in Karaf, we are able to see the below lines in the DEBUG logs,

2018-02-22 12:21:53,586 [DEBUG] [main] org.apache.camel.util.IntrospectionSupport - Configured property: password on bean:  with value: hello

The password can be sensitive, hence, we need to some mask or a have a filter to display this information.

Environment

  • Red Hat JBoss Fuse
    • 6.3.x
  • Apache Camel

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content