Uploaded image for project: 'JBoss BPMS Platform'
  1. JBoss BPMS Platform
  2. RHBPMS-136

Plaintext password is logged in server.log if enabling DEBUG for BPM Suite 6

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • 6.2.0
    • 6.0.0
    • Business Central
    • None

        • Description of problem:

      When the JBoss EAP 6.1.1 (on which it is installed BPM Suite 6) is started with DEBUG enabled, the password is logged in server.log after logging into business-central.

      13:36:37,595 DEBUG [org.apache.coyote.http11] (http-/10.10.7.34:8080-1) JBWEB003028: Start processing with input [j_username=jroy&j_password=Passboba123%21]

        • Version-Release number of selected component (if applicable):

      BPM Suite/BRMS6 GA

        • How reproducible:

      Always

        • Steps to Reproduce:

      1. Enable DEBUG in standalone.xml as follows:

      <root-logger>
      <level name="DEBUG"/>
      <handlers>
      <handler name="CONSOLE"/>
      <handler name="FILE"/>
      </handlers>
      </root-logger>

      2. Start the server
      3. Logging into business-central
      4. Look for "&j_password=" in server.log

        • Actual results:

      13:36:37,595 DEBUG [org.apache.coyote.http11] (http-/10.10.7.34:8080-1) JBWEB003028: Start processing with input [j_username=jroy&j_password=Passboba123%21]

        • Expected results:

      Password should not be logged in server.log or it should be encrypted.

              abakos@redhat.com Alexandre Porcelli
              rhn-support-ajuricic Amana Juricic
              Marian Macik Marian Macik
              Marian Macik Marian Macik
              Amana Juricic, Bartosz Baranowski, Kris Verlaenen, Marek Baluch, Rajesh Rajasekaran
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: