Hi Abiy, Regarding the issues you have raised
1) >>Credentials leaked in localhost access log This issue would exist when HTTP basic auth is used on Fineract (username and password are passed as query parameters over a HTTPS channel) and access log is enabled on tomcat (where the default pattern logs all accessed URL's and their associated query parameters). Quick fixes to the deployment environment ( in order of complexity ) to resolve this issue would be -> Disable localhost access log / update access log pattern to not print URL's in tomcat -> Extend access log to hide passwords (Ex : https://stackoverflow.com/questions/16699113/how-to-configure-tomcat-accesslogvalve-to-hide-passwords ) If we are particular on handling the same at an application level, the easiest change would be to change the authentication API to pass the username and password as part of the post body (which isn't logged by tomcat access log) 2) >>And the other is the one that is displaying in catalina (fineract-provider-log) I'll let others correct me, but this should not be the case. Logging from the application (catalina and fineract-provider) would only log the username (not the password) 3) Lastly, regarding the comment "My Recommendation is also as follows, In a system my company is using, the passwords in the xml files are encrypted. And the system will decrypt them before reading." Are you referring to the global credentials (database) configured in tomcat's server.xml which have the password in plain text ? If so, this would be a seperate (unrelated) security related enhancement. Regards, Vishwas +1 (202) 716 6675 On Thu, Dec 13, 2018 at 3:36 AM Abiy Atsbha <abiy...@gmail.com> wrote: > Hello Shtuthi, > > Yeah one is that, which is from the server.xml, > ( > > <Valve className="org.apache.catalina.valves.AccessLogValve" directory="/ > logs" > prefix="localhost_access_log." suffix=".log" > pattern="%h %l %u %t "%r" %s %b" /> > ) > > And the other is the one that is displaying in catalina, > (fineract-provider-log) > > ( > 166270 [http-bio-8443-exec-7] INFO > o.a.f.i.s.f.TenantAwareBasicAuthenticationFilter - > {"startTime":1544448486351,"totalTime":232,"method":"POST","url":" > https://localhost:8443/fineract-provider/api/v1/authentication > ","parameters":{"username":["admin"]}} > > ) > > ****************************************** > > My Recommendation is also as follows, > In a system my company is using, the passwords in the xml files are > encrypted. And the system will decrypt them before reading. > I will attach these files on private email for copyright issues, and hope > they will give you ideas on how to construct one for Mifos. > > Regards, > Abiy > > On Thu, Dec 13, 2018 at 10:05 AM Shruthi M R < > shru...@confluxtechnologies.com> wrote: > > > > > Thanks Abiy for bringing this to our attention. > > > > Are you referring the API - POST > > /fineract-provider/api/v1/authentication?username=ABC&password=78loknbj > > HTTP/1.1" 200 353 ? > > being logged in localhost_access_log? > > > > Thank You, > > > > *Shruthi M R* > > Senior Software Engineer - Conflux Technologies > > shru...@confluxtechnologies.com | Skype: Shruthi Rajaram | Mobile: > > +91-8277012716 > > > > > > On Tue, Dec 11, 2018 at 6:24 PM Abiy Atsbha <abiy...@gmail.com> wrote: > > > >> Hi All, > >> > >> How can we hide the username & password that is visible in the > >> localhost_access_log.2018-12-11. log file? > >> > >> The Username and Password is visiblebin the log. Any means to hide this > >> content? > >> > >> Thanks in Advance, > >> Abiy-A > >> > > Mifos-developer mailing list > >> mifos-develo...@lists.sourceforge.net > >> Unsubscribe or change settings at: > >> https://lists.sourceforge.net/lists/listinfo/mifos-developer > > > > >
