Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-650

auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • PicketBox_v4_0_8.Final
    • JBossSecurity_2.0.5.Final
    • PicketBox
    • None
    • Hide

      Enable auditing:

      Add the below option to JAVA_OPTS
      -Dorg.jboss.security.web.audit=headers,cookies,parameters

      Update the server.xml file to enable the audit:

      <Realm className="org.jboss.web.tomcat.security.JBossWebRealm"
      certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
      allRolesMode="authOnly"
      enableAudit="true"
      />

      Update the jboss-log4j.xml:

      Add a category:

      <category name="org.jboss.security.audit.providers.LogAuditProvider" additivity="false">
      <priority value="TRACE"></priority>
      <appender-ref ref="AUDIT"/>
      </category>

      Uncomment the appender "AUDIT"

      Deploy any FORM authentication enabled application war, and login.

      The "audit.log" will show the password in clear.

      Show
      Enable auditing: Add the below option to JAVA_OPTS -Dorg.jboss.security.web.audit=headers,cookies,parameters Update the server.xml file to enable the audit: <Realm className="org.jboss.web.tomcat.security.JBossWebRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" allRolesMode="authOnly" enableAudit="true" /> Update the jboss-log4j.xml: Add a category: <category name="org.jboss.security.audit.providers.LogAuditProvider" additivity="false"> <priority value="TRACE"></priority> <appender-ref ref="AUDIT"/> </category> Uncomment the appender "AUDIT" Deploy any FORM authentication enabled application war, and login. The "audit.log" will show the password in clear.
    • Low

      auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

      See: jbosssx/​ src/​ main/​ java/​ org/​ jboss/​ security/​ authorization/​ resources/​ WebResource.java

      Headers filter:
      180 if(headerName.contains("authorization") == false)
      181 sb.append(httpRequest.getHeader(headerName)).append(",");

      No filtering for params:

      197 sb.append(paramValues[i]).append("::");

            tfonteyn Tom Fonteyne (Inactive)
            tfonteyn Tom Fonteyne (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: