Camel outputs sensitive date in logs when log level is set to DEBUG
Issue
- The class
org.apache.camel.util.IntrospectionSupport.java
logs every property set on a component or an endpoint when the debug log level is turned on, including potential sensitive data.
For example, if you have a simple route like below,
from("sftp://vgohel@IP_ADDRESS/testCamelDir?password=hello").to("log:myLog?showHeaders=true");
then turning on the DEBUG logging for org.apcahe.camel
using log4j.properties
or even setting the logger category in pax-logging in Karaf, we are able to see the below lines in the DEBUG logs,
2018-02-22 12:21:53,586 [DEBUG] [main] org.apache.camel.util.IntrospectionSupport - Configured property: password on bean: with value: hello
The password can be sensitive, hence, we need to some mask or a have a filter to display this information.
Environment
- Red Hat JBoss Fuse
- 6.3.x
- Apache Camel
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.