[WSS-253] UsernameTokenProcessor logs the password to the log - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.5.9
Fix Version/s: 1.5.10, 1.6
Component/s: None
Labels:
None
Environment:
Any OS

Description

The UsernameTokenProcessor class logs the username and password to the log file.

org.apache.ws.security.processor.UsernameTokenProcessor file from TRUNK:

public WSUsernameTokenPrincipal handleUsernameToken(Element token, CallbackHandler cb)
88 throws WSSecurityException {
89 if (cb == null)

{ 90 throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback"); 91 }

92 //
93 // Parse the UsernameToken element
94 //
95 ut = new UsernameToken(token, allowNamespaceQualifiedPasswordTypes);
96 ut.setPasswordsAreEncoded(passwordsAreEncoded);
97 String user = ut.getName();
98 String password = ut.getPassword();
99 String nonce = ut.getNonce();
100 String createdTime = ut.getCreated();
101 String pwType = ut.getPasswordType();
102 if (log.isDebugEnabled())

{ 103 log.debug("UsernameToken user " + user); 104 log.debug("UsernameToken password " + password); 105 }

I think from a security stand point it is wrong to log the password.
In production environments for instance I want to log the username, but can't do that without logging the password as well.
I say either remove the password from logging or add a
log.info("UsernameToken user " + user); -> At INFO level

Thanks.

Attachments

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Alexandru Luchian

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 18/Nov/10 16:22

Updated:: 19/Nov/10 16:12

Resolved:: 19/Nov/10 16:12

Time Tracking

Estimated:

Remaining:

Logged:

Not Specified