You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2005/01/21 03:03:02 UTC

DO NOT REPLY [Bug 33187] New: - JAASRealm logs passwords in the clear

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=33187>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=33187

           Summary: JAASRealm logs passwords in the clear
           Product: Tomcat 5
           Version: 5.0.28
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Catalina:Modules
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: asfbugzilla@jgro.net


JAASRealm logs passwords in the clear:

2005-01-20 17:26:51 JAASRealm[Catalina]: Returning username bob
2005-01-20 17:26:51 JAASRealm[Catalina]: Returning password asdf

This is a huge security hole.  It should require unusual and explicit 
configuration to get JAASRealm to emit plaintext passwords if it is even 
allowed at all.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org