> -----Original Message----- > From: Thomas Schlosser [mailto:[email protected]] > Sent: Tuesday, April 14, 2009 3:17 PM > To: [email protected] > Subject: [Stripes-users] Password Logging as plain text > > Hi, > I have found out that stripes logs the values(also values from > stipes-password-tag) as plain text, when the > Validation-annotation is used with the required-param. > 2009-04-14 17:13:08,246 DEBUG [http-8080-Processor25] > (Log.java:183) - Checking required field: password, with > values: [secret]
While I do not have a solution to pass along, I have suggestion based on what we use here: a field annotation. @Secure for example prints on the object's toString method the last four digits of an SSN. Conceivably, one could have a @PasswordSecure annotation on the field that simply masks the whole field with "*" in the log. > > I think this is a security hole, therefore I wrote my own > ActionBeanPropertyBinder and removed the logging of the value. > But isn't it a generally problem, which should be fixed in > the DefaultActionBeanPropertyBinder? > > Cheers, > Thomas Regards, Tim Barclays www.barclaycardus.com This e-mail and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Stripes-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-users
