Uploaded image for project: 'OpenJPA'
  1. OpenJPA
  2. OPENJPA-1678

SQL Parameter values may contain sensitive information and should not be logged by default.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.0.3, 1.1.0, 1.2.2, 2.0.0, 2.1.0
    • 1.0.4, 1.2.3, 1.3.0, 2.0.1, 2.1.0
    • None
    • None

    Description

      The values for parameters used in our SQL statements may contain sensitive information (e.g. social security numbers). By default these values are printed in the exception message and in SQL trace. Having the values printed can be a great help when debugging an application - but presents a risk when used in production.

      To resolve the issue I propose to disable printing the parameter values by default. The parameter values will still be tracked internally - but will not be displayed in exception messages or trace unless the following property is set :
      <property name="openjpa.ConnectionFactoryProperties" value="printParameters=true"/>

      Attachments

        Issue Links

          incorporates

          Bug - A problem which impairs or prevents the functions of the product. OPENJPA-1886 Query trace may contain sensitive information and should not be logged by default.

          • Major - Major loss of function.
          • Closed

          Activity

            People

              mikedd Michael Dick
              mikedd Michael Dick
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: