UsernameTokenProcessor logs the password to the log
---------------------------------------------------
Key: WSS-253
URL: https://issues.apache.org/jira/browse/WSS-253
Project: WSS4J
Issue Type: Improvement
Affects Versions: 1.5.9
Environment: Any OS
Reporter: Alexandru Luchian
Assignee: Colm O hEigeartaigh
The UsernameTokenProcessor class logs the username and password to the log file.
org.apache.ws.security.processor.UsernameTokenProcessor file from TRUNK:
public WSUsernameTokenPrincipal handleUsernameToken(Element token,
CallbackHandler cb)
88 throws WSSecurityException {
89 if (cb == null) {
90 throw new WSSecurityException(WSSecurityException.FAILURE,
"noCallback");
91 }
92 //
93 // Parse the UsernameToken element
94 //
95 ut = new UsernameToken(token, allowNamespaceQualifiedPasswordTypes);
96 ut.setPasswordsAreEncoded(passwordsAreEncoded);
97 String user = ut.getName();
98 String password = ut.getPassword();
99 String nonce = ut.getNonce();
100 String createdTime = ut.getCreated();
101 String pwType = ut.getPasswordType();
102 if (log.isDebugEnabled()) {
103 log.debug("UsernameToken user " + user);
104 log.debug("UsernameToken password " + password);
105 }
I think from a security stand point it is wrong to log the password.
In production environments for instance I want to log the username, but can't
do that without logging the password as well.
I say either remove the password from logging or add a
log.info("UsernameToken user " + user); -> At INFO level
Thanks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
