Mask secrets in CommandInvokedEvent and Command logger

appserver/admingui/common/src/main/java/org/glassfish/admingui/common/util/RestUtil.java

@@ -41,7 +41,6 @@
 import java.io.IOException;
 import java.net.URLEncoder;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
@@ -71,6 +70,7 @@
 import org.xml.sax.SAXException;
 
 import static com.sun.logging.LogCleanerUtil.neutralizeForLog;
+import static org.glassfish.common.util.Constants.PASSWORD_ATTRIBUTE_NAMES;
 
 /**
  *
@@ -286,7 +286,7 @@ public static Map maskOffPassword(Map<String, Object> attrs) {
 
         for (Map.Entry<String, Object> e : attrs.entrySet()) {
             String key = e.getKey().toLowerCase(GuiUtil.guiLocale);
-            if (pswdAttrList.contains(key)) {
+            if (PASSWORD_ATTRIBUTE_NAMES.contains(key)) {
                 masked.put(e.getKey(), "*******");
             } else {
                 masked.put(e.getKey(), e.getValue());
@@ -967,17 +967,4 @@ public boolean verify(String host, SSLSession sslSession) {
         }
     }
 
-    /*
-     * This is a list of attribute name of password for different command. We need to mask its value during logging.
-     */
-    private static final List<String> pswdAttrList = Arrays.asList(
-            "sshpassword", /* create-node-ssh , setup-ssh , update-node, update-node-ssh */
-            "dbpassword", /* jms-availability-service */
-            "jmsdbpassword", /* configure-jms-cluster */
-            "password", /* change-admin-password */
-            "newpassword", /* change-admin-password */
-            "jmsdbpassword", /* configure-jms-cluster */
-            "mappedpassword", /* create-connector-security-map, update-connector-security-map */
-            "userpassword", /* create-file-user , update-file-user */
-            "aliaspassword" /* create-password-alias , update-password-alias */);
 }

nucleus/common/common-util/src/main/java/org/glassfish/common/util/Constants.java

@@ -16,6 +16,8 @@
 
 package org.glassfish.common.util;
 
+import java.util.Set;
+
 /**
  * These are constants that can be used throughout the server
  *
@@ -37,4 +39,17 @@ public class Constants {
      */
     public final static int IMPORTANT_RUN_LEVEL_SERVICE = 50;
 
+    /*
+     * This is a list of attribute names that hold passwords for various admin commands. We need to mask their value during logging.
+     */
+    public final static Set<String> PASSWORD_ATTRIBUTE_NAMES = Set.of(
+            "sshpassword", /* create-node-ssh , setup-ssh , update-node, update-node-ssh */
+            "dbpassword", /* jms-availability-service */
+            "password", /* change-admin-password */
+            "newpassword", /* change-admin-password */
+            "jmsdbpassword", /* configure-jms-cluster */
+            "mappedpassword", /* create-connector-security-map, update-connector-security-map */
+            "userpassword", /* create-file-user , update-file-user */
+            "aliaspassword" /* create-password-alias , update-password-alias */
+    );
 }

nucleus/core/kernel/src/main/java/com/sun/enterprise/v3/admin/CommandRunnerImpl.java

@@ -129,6 +129,7 @@
 
 import static com.sun.enterprise.util.Utility.isEmpty;
 import static java.util.logging.Level.SEVERE;
+import static org.glassfish.common.util.Constants.PASSWORD_ATTRIBUTE_NAMES;
 
 /**
  * Encapsulates the logic needed to execute a server-side command (for example,
@@ -1642,12 +1643,25 @@ public void executeFromCheckpoint(JobManager.Checkpoint checkpoint, boolean reve
     private void publishCommandInvokedEvent(ExecutionContext invocation, Subject subject) {
         final CommandInvokedEvent event = new CommandInvokedEvent(
                 invocation.name(),
-                invocation.parameters(),
+                maskSecretParameters(invocation.parameters()),
                 subject);
         eventService.getCommandInvokedTopic()
                 .publish(event);
     }
 
+    private ParameterMap maskSecretParameters(ParameterMap parameters) {
+        if (parameters == null) {
+            return parameters;
+        }
+        final ParameterMap maskedParameters = new ParameterMap(parameters);
+        maskedParameters.entrySet().forEach(entry -> {
+            if (PASSWORD_ATTRIBUTE_NAMES.contains(entry.getKey())) {
+                entry.setValue(List.of("*******"));
+            }
+        });
+        return maskedParameters;
+    }
+
     /*
      * Some private classes used in the implementation of CommandRunner.
      */