You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Alexandru Luchian (JIRA)" <ji...@apache.org> on 2010/11/18 17:23:15 UTC
[jira] Created: (WSS-253) UsernameTokenProcessor logs the password
to the log
UsernameTokenProcessor logs the password to the log
---------------------------------------------------
Key: WSS-253
URL: https://issues.apache.org/jira/browse/WSS-253
Project: WSS4J
Issue Type: Improvement
Affects Versions: 1.5.9
Environment: Any OS
Reporter: Alexandru Luchian
Assignee: Colm O hEigeartaigh
The UsernameTokenProcessor class logs the username and password to the log file.
org.apache.ws.security.processor.UsernameTokenProcessor file from TRUNK:
public WSUsernameTokenPrincipal handleUsernameToken(Element token, CallbackHandler cb)
88 throws WSSecurityException {
89 if (cb == null) {
90 throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
91 }
92 //
93 // Parse the UsernameToken element
94 //
95 ut = new UsernameToken(token, allowNamespaceQualifiedPasswordTypes);
96 ut.setPasswordsAreEncoded(passwordsAreEncoded);
97 String user = ut.getName();
98 String password = ut.getPassword();
99 String nonce = ut.getNonce();
100 String createdTime = ut.getCreated();
101 String pwType = ut.getPasswordType();
102 if (log.isDebugEnabled()) {
103 log.debug("UsernameToken user " + user);
104 log.debug("UsernameToken password " + password);
105 }
I think from a security stand point it is wrong to log the password.
In production environments for instance I want to log the username, but can't do that without logging the password as well.
I say either remove the password from logging or add a
log.info("UsernameToken user " + user); -> At INFO level
Thanks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] Resolved: (WSS-253) UsernameTokenProcessor logs the password
to the log
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved WSS-253.
-------------------------------------
Resolution: Fixed
> UsernameTokenProcessor logs the password to the log
> ---------------------------------------------------
>
> Key: WSS-253
> URL: https://issues.apache.org/jira/browse/WSS-253
> Project: WSS4J
> Issue Type: Improvement
> Affects Versions: 1.5.9
> Environment: Any OS
> Reporter: Alexandru Luchian
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.10, 1.6
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The UsernameTokenProcessor class logs the username and password to the log file.
> org.apache.ws.security.processor.UsernameTokenProcessor file from TRUNK:
> public WSUsernameTokenPrincipal handleUsernameToken(Element token, CallbackHandler cb)
> 88 throws WSSecurityException {
> 89 if (cb == null) {
> 90 throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
> 91 }
> 92 //
> 93 // Parse the UsernameToken element
> 94 //
> 95 ut = new UsernameToken(token, allowNamespaceQualifiedPasswordTypes);
> 96 ut.setPasswordsAreEncoded(passwordsAreEncoded);
> 97 String user = ut.getName();
> 98 String password = ut.getPassword();
> 99 String nonce = ut.getNonce();
> 100 String createdTime = ut.getCreated();
> 101 String pwType = ut.getPasswordType();
> 102 if (log.isDebugEnabled()) {
> 103 log.debug("UsernameToken user " + user);
> 104 log.debug("UsernameToken password " + password);
> 105 }
> I think from a security stand point it is wrong to log the password.
> In production environments for instance I want to log the username, but can't do that without logging the password as well.
> I say either remove the password from logging or add a
> log.info("UsernameToken user " + user); -> At INFO level
> Thanks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] Commented: (WSS-253) UsernameTokenProcessor logs the
password to the log
Posted by "Alexandru Luchian (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12933833#action_12933833 ]
Alexandru Luchian commented on WSS-253:
---------------------------------------
That would be great.
Thanks.
> UsernameTokenProcessor logs the password to the log
> ---------------------------------------------------
>
> Key: WSS-253
> URL: https://issues.apache.org/jira/browse/WSS-253
> Project: WSS4J
> Issue Type: Improvement
> Affects Versions: 1.5.9
> Environment: Any OS
> Reporter: Alexandru Luchian
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.10, 1.6
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The UsernameTokenProcessor class logs the username and password to the log file.
> org.apache.ws.security.processor.UsernameTokenProcessor file from TRUNK:
> public WSUsernameTokenPrincipal handleUsernameToken(Element token, CallbackHandler cb)
> 88 throws WSSecurityException {
> 89 if (cb == null) {
> 90 throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
> 91 }
> 92 //
> 93 // Parse the UsernameToken element
> 94 //
> 95 ut = new UsernameToken(token, allowNamespaceQualifiedPasswordTypes);
> 96 ut.setPasswordsAreEncoded(passwordsAreEncoded);
> 97 String user = ut.getName();
> 98 String password = ut.getPassword();
> 99 String nonce = ut.getNonce();
> 100 String createdTime = ut.getCreated();
> 101 String pwType = ut.getPasswordType();
> 102 if (log.isDebugEnabled()) {
> 103 log.debug("UsernameToken user " + user);
> 104 log.debug("UsernameToken password " + password);
> 105 }
> I think from a security stand point it is wrong to log the password.
> In production environments for instance I want to log the username, but can't do that without logging the password as well.
> I say either remove the password from logging or add a
> log.info("UsernameToken user " + user); -> At INFO level
> Thanks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] Updated: (WSS-253) UsernameTokenProcessor logs the password
to the log
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-253:
------------------------------------
Fix Version/s: 1.6
1.5.10
I'll just replace logging the password, with logging the password type.
Colm.
> UsernameTokenProcessor logs the password to the log
> ---------------------------------------------------
>
> Key: WSS-253
> URL: https://issues.apache.org/jira/browse/WSS-253
> Project: WSS4J
> Issue Type: Improvement
> Affects Versions: 1.5.9
> Environment: Any OS
> Reporter: Alexandru Luchian
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.10, 1.6
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The UsernameTokenProcessor class logs the username and password to the log file.
> org.apache.ws.security.processor.UsernameTokenProcessor file from TRUNK:
> public WSUsernameTokenPrincipal handleUsernameToken(Element token, CallbackHandler cb)
> 88 throws WSSecurityException {
> 89 if (cb == null) {
> 90 throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
> 91 }
> 92 //
> 93 // Parse the UsernameToken element
> 94 //
> 95 ut = new UsernameToken(token, allowNamespaceQualifiedPasswordTypes);
> 96 ut.setPasswordsAreEncoded(passwordsAreEncoded);
> 97 String user = ut.getName();
> 98 String password = ut.getPassword();
> 99 String nonce = ut.getNonce();
> 100 String createdTime = ut.getCreated();
> 101 String pwType = ut.getPasswordType();
> 102 if (log.isDebugEnabled()) {
> 103 log.debug("UsernameToken user " + user);
> 104 log.debug("UsernameToken password " + password);
> 105 }
> I think from a security stand point it is wrong to log the password.
> In production environments for instance I want to log the username, but can't do that without logging the password as well.
> I say either remove the password from logging or add a
> log.info("UsernameToken user " + user); -> At INFO level
> Thanks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] Commented: (WSS-253) UsernameTokenProcessor logs the
password to the log
Posted by "Alexandru Luchian (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12933465#action_12933465 ]
Alexandru Luchian commented on WSS-253:
---------------------------------------
You can see that line 104 logs the password:
104 log.debug("UsernameToken password " + password);
> UsernameTokenProcessor logs the password to the log
> ---------------------------------------------------
>
> Key: WSS-253
> URL: https://issues.apache.org/jira/browse/WSS-253
> Project: WSS4J
> Issue Type: Improvement
> Affects Versions: 1.5.9
> Environment: Any OS
> Reporter: Alexandru Luchian
> Assignee: Colm O hEigeartaigh
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The UsernameTokenProcessor class logs the username and password to the log file.
> org.apache.ws.security.processor.UsernameTokenProcessor file from TRUNK:
> public WSUsernameTokenPrincipal handleUsernameToken(Element token, CallbackHandler cb)
> 88 throws WSSecurityException {
> 89 if (cb == null) {
> 90 throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
> 91 }
> 92 //
> 93 // Parse the UsernameToken element
> 94 //
> 95 ut = new UsernameToken(token, allowNamespaceQualifiedPasswordTypes);
> 96 ut.setPasswordsAreEncoded(passwordsAreEncoded);
> 97 String user = ut.getName();
> 98 String password = ut.getPassword();
> 99 String nonce = ut.getNonce();
> 100 String createdTime = ut.getCreated();
> 101 String pwType = ut.getPasswordType();
> 102 if (log.isDebugEnabled()) {
> 103 log.debug("UsernameToken user " + user);
> 104 log.debug("UsernameToken password " + password);
> 105 }
> I think from a security stand point it is wrong to log the password.
> In production environments for instance I want to log the username, but can't do that without logging the password as well.
> I say either remove the password from logging or add a
> log.info("UsernameToken user " + user); -> At INFO level
> Thanks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] Closed: (WSS-253) UsernameTokenProcessor logs the password
to the log
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed WSS-253.
-----------------------------------
> UsernameTokenProcessor logs the password to the log
> ---------------------------------------------------
>
> Key: WSS-253
> URL: https://issues.apache.org/jira/browse/WSS-253
> Project: WSS4J
> Issue Type: Improvement
> Affects Versions: 1.5.9
> Environment: Any OS
> Reporter: Alexandru Luchian
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.10, 1.6
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The UsernameTokenProcessor class logs the username and password to the log file.
> org.apache.ws.security.processor.UsernameTokenProcessor file from TRUNK:
> public WSUsernameTokenPrincipal handleUsernameToken(Element token, CallbackHandler cb)
> 88 throws WSSecurityException {
> 89 if (cb == null) {
> 90 throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
> 91 }
> 92 //
> 93 // Parse the UsernameToken element
> 94 //
> 95 ut = new UsernameToken(token, allowNamespaceQualifiedPasswordTypes);
> 96 ut.setPasswordsAreEncoded(passwordsAreEncoded);
> 97 String user = ut.getName();
> 98 String password = ut.getPassword();
> 99 String nonce = ut.getNonce();
> 100 String createdTime = ut.getCreated();
> 101 String pwType = ut.getPasswordType();
> 102 if (log.isDebugEnabled()) {
> 103 log.debug("UsernameToken user " + user);
> 104 log.debug("UsernameToken password " + password);
> 105 }
> I think from a security stand point it is wrong to log the password.
> In production environments for instance I want to log the username, but can't do that without logging the password as well.
> I say either remove the password from logging or add a
> log.info("UsernameToken user " + user); -> At INFO level
> Thanks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org