H2DB connection is printing the user name password in the logs when enabled Debug mode

36 views
Skip to first unread message

Balamurali Krishna Ippili

unread,
Jul 18, 2024, 2:23:56 AMJul 18
to H2 Database
Hi H2DB Team,

We are using H2DB 2.2.224 and when we are connecting to H2DB using JDBC the connection was established , however whe DEBUG logs are enabled the user name and password also printing along with the connection information in the logs and how to avoid printing the credentials in the logs.

Following is the logger statement that I am able to see in the tomcat logs of my application after the connection to H2DB is established:

DEBUG jdbc.JdbcConnectionSource: opened connection to jdbc:h2:C:\apache-tomcat-9.0.68\webapps\ca-nim-sm_pt39\WEB-INF\data\nim-sm-customizations;AUTO_SERVER=TRUE;USER=DBUserName;PASSWORD=DBPassWord got #127749465

Can any one suggest how to avoid printing the credentials that we used to connect to H2DB in the above logger statement?

Thanks in advance.

Thanks,
Balamurali

This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.

Evgenij Ryazanov

unread,
Jul 18, 2024, 3:30:01 AMJul 18
to H2 Database
Hi!

Passwords shouldn't be specified in the JDBC URL, usually there are separate methods or parameters for user name and password.

H2's own org.h2.jdbcx.JdbcDataSource can log JDBC URLs and user names, but it doesn't log passwords specified with setPassword() method.

JdbcConnectionSource is not a part of H2, so you should read its documentation, most likely it also has a secure way to specify a password.

Balamurali Krishna Ippili

unread,
Jul 18, 2024, 4:38:33 AMJul 18
to h2-da...@googlegroups.com
Hi Evegenij,

Thank you for your quick response.

Sure,  I will review the JDBC documentation for this and also H2DB's own JDBCDatSource.

Regards,
Balamurali

--
You received this message because you are subscribed to the Google Groups "H2 Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to h2-database...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/h2-database/667dea12-6acb-4ab6-947a-47c32ca7cbefn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages