You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2010/11/19 13:58:13 UTC
[jira] Updated: (WSS-253) UsernameTokenProcessor logs the password
to the log
[ https://issues.apache.org/jira/browse/WSS-253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-253:
------------------------------------
Fix Version/s: 1.6
1.5.10
I'll just replace logging the password, with logging the password type.
Colm.
> UsernameTokenProcessor logs the password to the log
> ---------------------------------------------------
>
> Key: WSS-253
> URL: https://issues.apache.org/jira/browse/WSS-253
> Project: WSS4J
> Issue Type: Improvement
> Affects Versions: 1.5.9
> Environment: Any OS
> Reporter: Alexandru Luchian
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.10, 1.6
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The UsernameTokenProcessor class logs the username and password to the log file.
> org.apache.ws.security.processor.UsernameTokenProcessor file from TRUNK:
> public WSUsernameTokenPrincipal handleUsernameToken(Element token, CallbackHandler cb)
> 88 throws WSSecurityException {
> 89 if (cb == null) {
> 90 throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
> 91 }
> 92 //
> 93 // Parse the UsernameToken element
> 94 //
> 95 ut = new UsernameToken(token, allowNamespaceQualifiedPasswordTypes);
> 96 ut.setPasswordsAreEncoded(passwordsAreEncoded);
> 97 String user = ut.getName();
> 98 String password = ut.getPassword();
> 99 String nonce = ut.getNonce();
> 100 String createdTime = ut.getCreated();
> 101 String pwType = ut.getPasswordType();
> 102 if (log.isDebugEnabled()) {
> 103 log.debug("UsernameToken user " + user);
> 104 log.debug("UsernameToken password " + password);
> 105 }
> I think from a security stand point it is wrong to log the password.
> In production environments for instance I want to log the username, but can't do that without logging the password as well.
> I say either remove the password from logging or add a
> log.info("UsernameToken user " + user); -> At INFO level
> Thanks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org