On Tue, Jun 18, 2019 at 9:28 PM pavan landge <pavanlandge...@gmail.com> wrote:
> > > ---------- Forwarded message --------- > From: pavan landge <pavanlandge...@gmail.com> > Date: Thu 13 Jun, 2019, 3:30 PM > Subject: Axis2: Security Bug Severity 1 > To: <java-user-subscr...@axis.apache.org> > Cc: pavan landge <pavanlandge...@gmail.com> > > > Hi Team, > > I am using Axis2 jar for SAOP (Request/Response). In log4j (Logger) I am > enabling the logs to check the parameters passed with soap envelope is > correct or not. > I can see in the soap envelop the* PASSWORD *is getting displayed. > > >From an Axis2 security perspective, the WEB-INF/classes/log4j.properties that is shipped defaults to INFO level, you won't see this unless you purposely change the level and also are not encrypting your own sensitive user data. We suggest not doing that. We can't prevent bad practices though should you chose to do so. If you really need to send the passwords etc unencrypted, you can always use RAMPART to encrypt the payload body and use a digital signature to verify the integrity. Regards, Robert
