You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2005/01/21 05:40:31 UTC
DO NOT REPLY [Bug 33187] -
JAASRealm logs passwords in the clear
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=33187>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=33187
------- Additional Comments From arjaquith@mindspring.com 2005-01-21 05:40 -------
Is it a security hole? Yes, but only if you specifically turned on debug tracing. This isn't done by default.
To your point, it "should require unusual and explicit configuration to get JAASRealm to emit plaintext
passwords". It DOES require unusual configuration---tracing.
Second, the function of the trace is to report what the JAASCallbackHandler passes back to the
LoginModule, and only in a debug/trace scenario. This is very handy for troubleshooting JAAS login
modules, which frequently access enterprise resources. If the realm has password digesting turned on,
it will log the digest value. It sounds like you don't use digesting in your LoginModule; maybe you
should!
I'd say the hole isn't "huge," but if this is really a problem, simply snipping this line out of
JAASCalbackHandler#handle() would fix the issue:
if (realm.getContainer().getLogger().isTraceEnabled())
realm.getContainer().getLogger().trace(sm.getString("jaasCallback.password", password));
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org