[
https://issues.apache.org/jira/browse/JAMES-3420?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Tellier closed JAMES-3420.
---------------------------------
Fix Version/s: 3.6.0
Resolution: Fixed
https://github.com/linagora/james-project/pull/3876 contributed this
> WebAdmin request logging should not log password
> ------------------------------------------------
>
> Key: JAMES-3420
> URL: https://issues.apache.org/jira/browse/JAMES-3420
> Project: James Server
> Issue Type: Bug
> Components: webadmin
> Reporter: Benoit Tellier
> Priority: Major
> Fix For: 3.6.0
>
>
> = Why?
> Logging user passord is an obvious security bad practice.
> Request logging should avoid logging user passwords.
> = When ?
> The body of the webadmin request is logged as part of the MDC.
> Only user enabling structured logging are exposed, the default configuration
> is not.
> Incriminated logger is org.apache.james.webadmin.mdc.LoggingRequestFilter
> Users relying on a LDAP are not impacted.
> = How?
> Allow overrides of the RequestLogger for specific routes, given a request
> predicate.
> That way we would be able to not log the payload of the request (password)
> upon user creation & password updates.
> = Definition of done
> {code:java}
> Upon user creation via webadmin
> A request log is emitted
> This request log do not contain the request body.
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
