[JBPAPP-8089] auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter - JBoss Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Minor
Resolution: Done
Affects Version/s: EAP_EWP 5.1.2
Fix Version/s: EAP_EWP 5.2.0
Component/s: Security
Labels:
None
Environment:

all

Steps to Reproduce:

Hide

Enable auditing:

Add the below option to JAVA_OPTS
-Dorg.jboss.security.web.audit=headers,cookies,parameters

Update the server.xml file to enable the audit:

<Realm className="org.jboss.web.tomcat.security.JBossWebRealm"
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
allRolesMode="authOnly"
enableAudit="true"
/>

Update the jboss-log4j.xml:

Add a category:

<category name="org.jboss.security.audit.providers.LogAuditProvider" additivity="false">
<priority value="TRACE"></priority>
<appender-ref ref="AUDIT"/>
</category>

Uncomment the appender "AUDIT"

Deploy any FORM authentication enabled application war, and login.

The "audit.log" will show the password in clear.

Show
Enable auditing: Add the below option to JAVA_OPTS -Dorg.jboss.security.web.audit=headers,cookies,parameters Update the server.xml file to enable the audit: <Realm className="org.jboss.web.tomcat.security.JBossWebRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" allRolesMode="authOnly" enableAudit="true" /> Update the jboss-log4j.xml: Add a category: <category name="org.jboss.security.audit.providers.LogAuditProvider" additivity="false"> <priority value="TRACE"></priority> <appender-ref ref="AUDIT"/> </category> Uncomment the appender "AUDIT" Deploy any FORM authentication enabled application war, and login. The "audit.log" will show the password in clear.
Affects:

Release Notes
Estimated Difficulty:
Low
Release Notes Text:

Hide
The <systemitem>j_password</systemitem> form field parameter was not filtered out of auditing logs, which caused unintended password exposure in the <filename>audit.log</filename> file. The underlying source code for audit logging has been enhanced to filter out the <systemitem>j_password</systemitem> parameter so that it no longer occurs in the <filename>audit.log</filename> file.

Show
The <systemitem>j_password</systemitem> form field parameter was not filtered out of auditing logs, which caused unintended password exposure in the <filename>audit.log</filename> file. The underlying source code for audit logging has been enhanced to filter out the <systemitem>j_password</systemitem> parameter so that it no longer occurs in the <filename>audit.log</filename> file.
Release Notes Docs Status:
Documented as Resolved Issue
Docs QE Status:
NEW

Description

auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

See: jbosssx/ src/ main/ java/ org/ jboss/ security/ authorization/ resources/ WebResource.java

Headers filter:
180 if(headerName.contains("authorization") == false)
181 sb.append(httpRequest.getHeader(headerName)).append(",");

No filtering for params:

197 sb.append(paramValues[i]).append("::");

Gliffy Diagrams

Attachments

Issue Links

cloned to

SECURITY-650 auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

Resolved

JBPAPP-8369 CLONE - auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

Closed

Activity

People

Assignee:

Ondrej Lukas

Reporter:

Tom Fonteyne

Writer:

Petr Penicka

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

10/Feb/12 6:54 AM

Updated:

19/Sep/12 2:21 AM

Resolved:

07/Mar/12 6:43 AM