Protect STOMP passcode from showing up in logs

Issue: SRP-10868
2013-08-28 23:51:08 -04:00 · 2013-08-28 23:51:08 -04:00 · 80812d30d4
parent 1472e9795f
commit 80812d30d4
4 changed files with 58 additions and 5 deletions
--- a/spring-messaging/src/main/java/org/springframework/messaging/simp/stomp/StompHeaderAccessor.java
+++ b/spring-messaging/src/main/java/org/springframework/messaging/simp/stomp/StompHeaderAccessor.java
@ -44,6 +44,8 @@ import org.springframework.util.StringUtils;
 */
 public class StompHeaderAccessor extends SimpMessageHeaderAccessor {

+	private static final AtomicLong messageIdCounter = new AtomicLong();
+
 	// STOMP header names

 	public static final String STOMP_ID_HEADER = "id";
@ -83,10 +85,9 @@ public class StompHeaderAccessor extends SimpMessageHeaderAccessor {

 	// Other header names

-	public static final String COMMAND_HEADER = "stompCommand";
+	private static final String COMMAND_HEADER = "stompCommand";

-
-	private static final AtomicLong messageIdCounter = new AtomicLong();
+	private static final String CREDENTIALS_HEADER = "stompCredentials";


 	/**
@ -128,6 +129,12 @@ public class StompHeaderAccessor extends SimpMessageHeaderAccessor {
 				super.setSubscriptionId(values.get(0));
 			}
 		}
+		else if (StompCommand.CONNECT.equals(command)) {
+			if (!StringUtils.isEmpty(getPasscode())) {
+				setHeader(CREDENTIALS_HEADER, new StompPasscode(getPasscode()));
+				setPasscode("PROTECTED");
+			}
+		}
 	}

 	/**
@ -197,6 +204,18 @@ public class StompHeaderAccessor extends SimpMessageHeaderAccessor {
 		return result;
 	}

+	public Map<String, List<String>> toStompHeaderMap() {
+		if (StompCommand.CONNECT.equals(getCommand())) {
+			StompPasscode credentials = (StompPasscode) getHeader(CREDENTIALS_HEADER);
+			if (credentials != null) {
+				Map<String, List<String>> headers = toNativeHeaderMap();
+				headers.put(STOMP_PASSCODE_HEADER, Arrays.asList(credentials.passcode));
+				return headers;
+			}
+		}
+		return toNativeHeaderMap();
+	}
+
 	public void setCommandIfNotSet(StompCommand command) {
 		if (getCommand() == null) {
 			setHeader(COMMAND_HEADER, command);
@ -338,4 +357,18 @@ public class StompHeaderAccessor extends SimpMessageHeaderAccessor {
 		setNativeHeader(STOMP_VERSION_HEADER, version);
 	}

+
+	private static class StompPasscode {
+
+		private final String passcode;
+
+		public StompPasscode(String passcode) {
+			this.passcode = passcode;
+		}
+
+		@Override
+		public String toString() {
+			return "[PROTECTED]";
+		}
+	}
 }
--- a/spring-messaging/src/main/java/org/springframework/messaging/simp/stomp/StompMessageConverter.java
+++ b/spring-messaging/src/main/java/org/springframework/messaging/simp/stomp/StompMessageConverter.java
@ -141,7 +141,7 @@ public class StompMessageConverter {
 		try {
 			out.write(stompHeaders.getCommand().toString().getBytes("UTF-8"));
 			out.write(LF);
-			for (Entry<String, List<String>> entry : stompHeaders.toNativeHeaderMap().entrySet()) {
+			for (Entry<String, List<String>> entry : stompHeaders.toStompHeaderMap().entrySet()) {
 				String key = entry.getKey();
 				key = replaceAllOutbound(key);
 				for (String value : entry.getValue()) {
--- a/spring-messaging/src/test/java/org/springframework/messaging/simp/stomp/StompHeaderAccessorTests.java
+++ b/spring-messaging/src/test/java/org/springframework/messaging/simp/stomp/StompHeaderAccessorTests.java
@ -90,6 +90,26 @@ public class StompHeaderAccessorTests {
 		assertEquals("s1", headers.getSubscriptionId());
 	}

+	@Test
+	public void createWithConnectNativeHeaders() {
+
+		MultiValueMap<String, String> extHeaders = new LinkedMultiValueMap<>();
+		extHeaders.add(StompHeaderAccessor.STOMP_LOGIN_HEADER, "joe");
+		extHeaders.add(StompHeaderAccessor.STOMP_PASSCODE_HEADER, "joe123");
+
+		StompHeaderAccessor headers = StompHeaderAccessor.create(StompCommand.CONNECT, extHeaders);
+
+		assertEquals(StompCommand.CONNECT, headers.getCommand());
+		assertEquals(SimpMessageType.CONNECT, headers.getMessageType());
+		assertNotNull(headers.getHeader("stompCredentials"));
+		assertEquals("joe", headers.getLogin());
+		assertEquals("PROTECTED", headers.getPasscode());
+
+		Map<String, List<String>> output = headers.toStompHeaderMap();
+		assertEquals("joe", output.get(StompHeaderAccessor.STOMP_LOGIN_HEADER).get(0));
+		assertEquals("joe123", output.get(StompHeaderAccessor.STOMP_PASSCODE_HEADER).get(0));
+	}
+
 	@Test
 	public void toNativeHeadersSubscribe() {

--- a/spring-websocket/src/main/java/org/springframework/web/socket/TextMessage.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/TextMessage.java
@ -49,7 +49,7 @@ public final class TextMessage extends WebSocketMessage<String> {

 	@Override
 	protected String toStringPayload() {
-		return (getPayloadSize() > 80) ? getPayload().substring(0, 80) + "..." : getPayload();
+		return (getPayloadSize() > 10) ? getPayload().substring(0, 10) + ".." : getPayload();
 	}

 }