Password printed in JBoss server.log

drsm Nov 19, 2007 8:49 AM

Hi!

I have a problem running an application on Jboss 4.0.5 and RichFaces 3.1.0 enabled. When I log in this application, my password is shown in server.log when DEBUG is enabled, in a line like this:

2007-11-14 15:57:30,976 DEBUG [org.ajax4jsf.renderkit.AjaxContainerRenderer] Request parameters map {javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAN0AARfaWQzcHQACi9sb2dpbi5qc3A=, _idJsp0:_idcl=, _idJsp0:_idJsp8= PASSWORD , autoScroll=, _idJsp0:_idJsp11=Entrar, _idJsp0:_idJsp5=daniel, _idJsp0_SUBMIT=1, _idJsp0:_link_hidden_=}

I have three environments in my organization (development, testing and production) and I can't control who can enable the Debug level and see the server.log files in each environment.

This parameter is acquired in a JSP code using h:inputSecret, like this:
<h:inputSecret value="#{autenticador.senha}" maxlength="8" size="10"/>

I think it is a security problem in org.ajax4jsf.renderkit.AjaxContainerRenderer class, because it is not necessary to show secret information in the log file.

Is there any way to hide this password parameter value?

Thanks,

Daniel

1. Re: Password printed in JBoss server.log

drsm Dec 7, 2007 12:20 PM (in response to drsm)

Can anyone help me with this topic?

Thanks.

Daniel
Actions
2. Re: Password printed in JBoss server.log

alexsmirnov Dec 7, 2007 12:58 PM (in response to drsm)

There is only one way to remove debug information from the log files - decrease log level to ERROR or FATAL.
For a production server, it is necessary for a performance reasons too, so DEBUG log level can decrease performance by 3-5 times.
Anyway, I will remove this debug point for a next release.
You can watch status of the http://jira.jboss.com/jira/browse/RF-1564.
Actions

Go to original post