Search code examples
javajdbcjtaxaatomikos

User names and passwords are logged in plain text during initialization of Atomikos

Our project relies on Atomikos to provide light-weight transaction management. However, we find that it logs the DB user name and password in plain text during initialization.

E.g.

2015-10-15 16:43:01,106 [http-bio-8080-exec-4] INFO  com.atomikos.jdbc.AtomikosDataSourceBean  - AtomikosDataSoureBean 'LAB_Oracle': initializing with [ xaDataSourceClassName=oracle.jdbc.xa.client.OracleXADataSource, uniqueResourceName=LAB_Oracle, maxPoolSize=8, minPoolSize=1, borrowConnectionTimeout=30, maxIdleTime=60, reapTimeout=0, maintenanceInterval=60, testQuery=null, xaProperties=[URL=jdbc:oracle:thin:@***:1537:oocait01,user=***,password=**] loginTimeout=0]

Is there any configuration that can suppress the logging of these confidential information?

Solution

  • As far as configuration, you can set your threshold to WARN for log category com.atomikos.jdbc.AtomikosDataSourceBean. There are some examples for popular logging frameworks here. That would filter out that entire message.

    If you only want to filter the confidential properties, you could create a subclass of AtomikosDataSourceBean and override the protected method printXaProperties(). Then you can filter out any confidential properties such as passwords. 

    package my.com.atomikos.jdbc;

import java.util.Enumeration;
import java.util.Properties;

public class AtomikosDataSourceBean extends com.atomikos.jdbc.AtomikosDataSourceBean {
    private static final long serialVersionUID = 1L;

    protected String printXaProperties()
    {
        Properties xaProperties = getXaProperties();
        StringBuffer ret = new StringBuffer();
        if ( xaProperties != null ) {
            Enumeration it = xaProperties.propertyNames();
            ret.append ( "[" );
            boolean first = true;
            while ( it.hasMoreElements() ) {
                String name = ( String ) it.nextElement();
                if ( name.equals ( "password" ) ) continue;
                if ( ! first ) ret.append ( "," );
                String value = xaProperties.getProperty( name );
                ret.append ( name ); ret.append ( "=" ); ret.append ( value );
                first = false;
            }
            ret.append ( "]" );
        }
        return ret.toString();
    }
}

    Since Atomikos will automatically detect the logging framework, which could vary depending how you test, package and deploy your application, using a subclass is probably more foolproof.

    I submitted a pull request that could make it into version 4. We'll see.