Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-8369

CLONE - auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • EAP_EWP 5.2.0
    • EAP_EWP 5.1.2
    • Security
    • None

    • all

    • Hide

      Enable auditing:

      Add the below option to JAVA_OPTS
      -Dorg.jboss.security.web.audit=headers,cookies,parameters

      Update the server.xml file to enable the audit:

      <Realm className="org.jboss.web.tomcat.security.JBossWebRealm"
      certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
      allRolesMode="authOnly"
      enableAudit="true"
      />

      Update the jboss-log4j.xml:

      Add a category:

      <category name="org.jboss.security.audit.providers.LogAuditProvider" additivity="false">
      <priority value="TRACE"></priority>
      <appender-ref ref="AUDIT"/>
      </category>

      Uncomment the appender "AUDIT"

      Deploy any FORM authentication enabled application war, and login.

      The "audit.log" will show the password in clear.

      Show
      Enable auditing: Add the below option to JAVA_OPTS -Dorg.jboss.security.web.audit=headers,cookies,parameters Update the server.xml file to enable the audit: <Realm className="org.jboss.web.tomcat.security.JBossWebRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" allRolesMode="authOnly" enableAudit="true" /> Update the jboss-log4j.xml: Add a category: <category name="org.jboss.security.audit.providers.LogAuditProvider" additivity="false"> <priority value="TRACE"></priority> <appender-ref ref="AUDIT"/> </category> Uncomment the appender "AUDIT" Deploy any FORM authentication enabled application war, and login. The "audit.log" will show the password in clear.
    • Release Notes
    • Low
    • Hide
      The <systemitem>j_password</systemitem> form field parameter was not filtered out of auditing logs, which caused unintended password exposure in the <filename>audit.log</filename> file. The underlying source code for audit logging has been enhanced to filter out the <systemitem>j_password</systemitem> parameter so that it no longer occurs in the <filename>audit.log</filename> file.
      Show
      The <systemitem>j_password</systemitem> form field parameter was not filtered out of auditing logs, which caused unintended password exposure in the <filename>audit.log</filename> file. The underlying source code for audit logging has been enhanced to filter out the <systemitem>j_password</systemitem> parameter so that it no longer occurs in the <filename>audit.log</filename> file.
    • Documented as Resolved Issue
    • NEW

      auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

      This got fixed in JBPAPP-8089 for the class:
      jbosssx/​ src/​ main/​ java/​ org/​ jboss/​ security/​ authorization/​ resources/​ WebResource.java

      Also needs fixing in:
      org/​ jboss/​ web/​ tomcat/​ security/​ WebUtil.java

      which is a (broken) copy of the former class method

            olukas Ondrej Lukas (Inactive)
            tfonteyn Tom Fonteyne (Inactive)
            Petr Penicka Petr Penicka (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: