Uploaded image for project: 'Qpid JMS'
  1. Qpid JMS
  2. QPIDJMS-588

failover URI with invalid/unused user-info in component URI not rejected, can be logged

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 1.8.0, 2.2.0
    • 1.9.0, 2.3.0
    • qpid-jms-client

    • We are currently using Apache Qpid 2.2.0

    Description

      The clients documented connection URI config does not utilise user-info details from the URI, with it actively refusing its presence in the base non-failover connection URI, for example using "amqp://erroneous-user:erroneous-pass@localhost:5672" will result in an IllegalArgumentException when creating the connection factory.

      If however a failover URI is supplied with a component server connection URI nested within it erroneously containing user-info detail, e.g "failover:(amqp://erroneous-user:erroneous-pass@localhost:5672)", then they remain invalid/unused as expected but do not currently result in the IllegalArgumentException as in the non-failover case. Later code within the client does not expect this invalid/unused user-info detail to be present, and so can then log it.

      The erroneous presence of the invalid/unused user-info within a component of a failover URI should also cause an IllegalArgumentException when creating the connection factory.

       

      ================

      Original Description:

      If I have a failover URL with `user:password` configured than the password is logged in plain text.

      BrokerURL: failover:(amqp://myactivemquser:my-secure-password@localhost:5672)

      Log extract:
      2023-05-15 13:04:42.484  INFO [localhost:5672]] org.apache.qpid.jms.JmsConnection        : Connection ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server: amqp://myactivemquser:my-secure-password@localhost:5672

       

      Expected behaviour:

      The password is masked in the log or an IllegalArgumentException is thrown similar to the non failover URL:

      amqp://myactivemquser:my-secure-password@localhost:5672 results in a 

      ...

      Caused by: java.lang.IllegalArgumentException: The supplied URI cannot contain a User-Info section
          at org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
          at org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
          ... 69 common frames omitted

       

      Attachments

        Activity

          People

            robbie Robbie Gemmell
            patrick_gell Patrick Gell
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: