Re: Avoiding username/password being logged into localhost access logs

[jithu mada <ji...@gmail.com>]

Thanks for the prompt Reply.

The tomcat is running on AIX 5.3 and the files are not publicly accessible.
Its only accessible to few users.

But the user wants the username and password to be obscured.

On Wed, Apr 22, 2009 at 5:43 PM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:

> > From: Tom-cat [mailto:jithu.mada@gmail.com]
> > Subject: Avoiding username/password being logged into localhost access
> > logs
> >
> > We are using Tomcat 5.0.27.
>
> No longer supported.
>
> > It has become a security issue as anyone with an
> > account to the system can browse through the logs
> > and find out the username and password of the users.
>
> Why are your log files publically accessible?  You didn't tell us the
> platform you're running on, but pretty much everything has ways to make
> files/directories accessible only to select users.
>
> Is your Tomcat configuration accessible as well?
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Avoiding username/password being logged into localhost access logs

[André Warnier <aw...@ice-sa.com>]

jithu mada wrote:
[...]
The only way I can see for the userid and password to be visible in an 
access log, is if they are part of the URL (actually, of the query 
string) and unencoded.
Which would mean that this is a form-based authentication, with either 
no method attribute in the <form> tag, or method="GET".
If it was really a POST, it would be in the body of the request, and not 
appear in the access log.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Avoiding username/password being logged into localhost access logs

[Dan Armbrust <da...@gmail.com>]

>
> How is Tomcat meant to determine that data in the URL is a password and
> needs to be filtered?
>
>> I imagine there are all sorts of places that (rightfully) have
>> policies against storing a clear text password anywhere.
>
> The only reason you are seeing the password in the access logs appears
> to be the fact that the application is including in the URL. No
> authentication scheme provided by Tomcat does this. This is an
> application issue (it should be using POST rather than GET) not a Tomcat
> one.
>
> Mark

Ahh.  I didn't read the first post very carefully.  I thought there
were using a built-in tomcat authorization scheme - and it was logging
the usernames and passwords.  But the original poster just has a
really poor application design.

I didn't think Tomcat would be logging passwords in clear text.  Nevermind me :)

Dan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Avoiding username/password being logged into localhost access logs

[Mark Thomas <ma...@apache.org>]

Dan Armbrust wrote:
> Sounds like a good enhancement request to me.  It's certainly
> reasonable that one should be able to ask Tomcat to never ever log a
> password in clear text.  In fact, it seems like that should be the
> default setting.

How is Tomcat meant to determine that data in the URL is a password and
needs to be filtered?

> I imagine there are all sorts of places that (rightfully) have
> policies against storing a clear text password anywhere.

The only reason you are seeing the password in the access logs appears
to be the fact that the application is including in the URL. No
authentication scheme provided by Tomcat does this. This is an
application issue (it should be using POST rather than GET) not a Tomcat
one.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Avoiding username/password being logged into localhost access logs

[Dan Armbrust <da...@gmail.com>]

Sounds like a good enhancement request to me.  It's certainly
reasonable that one should be able to ask Tomcat to never ever log a
password in clear text.  In fact, it seems like that should be the
default setting.

I imagine there are all sorts of places that (rightfully) have
policies against storing a clear text password anywhere.

Dan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Avoiding username/password being logged into localhost access logs

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: jithu mada [mailto:jithu.mada@gmail.com]
> Subject: Re: Avoiding username/password being logged into localhost
> access logs
> 
> Its only accessible to few users.
> 
> But the user wants the username and password to be obscured.

Then you'll need to extend the existing logger class, have your replacement scan for username and password, and apply appropriate obfuscation.  It would be easier just to completely restrict access to the log files, and filter them after the fact.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org