Hello Dean, CAS AuthenticationViaFormAction class extends Spring WebFlow's FormAction. FormAction offers debugging (1) of the binding between http request parameters and java objects. This debugging is not handling obfuscation for sensitive parameters like "password". More over, Spring Web Flow logging pattern is to associate the logger with the instanciated class, not with the declaring class (2) (LogFactory.getLog(getClass()) versus LogFactory.getLog(My.class) ). Thus, that password may be emitted in the logs if the troubleshooting team enables debugging on "org.jasig.cas" category.
I unfortunately don't see any way to prevent this risk in CAS except not inheriting of o.s.webflow.action.AbstractAction which would require a lot of extra work. On the other hand, all the CAS code is taking care not to output sensitive information in the logs (e.g. UsernamePasswordCredentials#toString() ). My two cents, Cyrille (1) https://fisheye.springsource.org/browse/spring-webflow/tags/spring-webflow-1.0.5/spring-webflow/src/main/java/org/springframework/webflow/action/FormAction.java?r=493#l841 (2) https://fisheye.springsource.org/browse/spring-webflow/tags/spring-webflow-1.0.5/spring-webflow/src/main/java/org/springframework/webflow/action/AbstractAction.java?r=493#l46 On Fri, Jun 12, 2009 at 5:59 PM, deanhe01<[email protected]> wrote: > > As I was looking at log files yesterday I came across the following line: > > 2009-06-12 08:51:56,460 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormActio > n] - Binding allowed request parameters in map['lt' -> > '_c867CA912-466E-BBAE-EB9 > 4-E793532928A0_kC2CAEC2A-D940-9912-8EBA-3F93B9E1B586', 'service' -> > 'http://loca > lhost:8888/cornerstone-sso', '_eventId' -> 'submit', 'password' -> > 'y3x3.m4f', > 'submit' -> 'LOGIN', 'username' -> 'deanhe01'] to form object with name > 'credent > ials', pre-bind formObject toString = [username: null] > > Notice the bold. thats the password entered from the CAS login. Now I do > realize that I am running in debug mode and that you would not run a > production server in debug but, do we have to have the password right there > in plain text? > -- > View this message in context: > http://www.nabble.com/user-password-in-plalintext-in-cas.log-tp24001707p24001707.html > Sent from the CAS Users mailing list archive at Nabble.com. > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
