11 Replies Latest reply on Oct 10, 2008 12:16 PM by anil.saldhana

    Masking passwords in logs

    mmoyses

      I was given a task to mask passwords that appear in the logs, as it's a security flaw to expose such information.
      So far I have identified XSLSubDeployer, ServiceConfigurator and ServiceDeploymentDeployer as the classes that parse the information in the XMLs and eventually print a password in plain text in the log for debug purposes.
      I have committed a change to mask these passwords, but as Ales pointed, this is not a generic solution.
      I am opening this thread so we can discuss a better solution for this. Please contribute with your ideas.

        • 1. Re: Masking passwords in logs
          alesj

          My initial post to Marcus:

          "alesj" wrote:

          This is not the way to do it. ;-)

          1) if eventually done is such non-generic way, there should be at least just one place to do it - e.g. MaskPasswordHelper in jboss-commons

          2) it should be done generic
          e.g. user might want to mask other attributes as well

          @MaskIt
          public void setFoo(String foo)

          3) there should be a set of default masking attributes
          this set should be configurable


          • 2. Re: Masking passwords in logs
            alesj

             

            "alesj" wrote:

            2) it should be done generic
            e.g. user might want to mask other attributes as well

            @MaskIt
            public void setFoo(String foo)

            As this masking is done in parse state,
            there is no way to get annotations, so this idea fails.

            • 3. Re: Masking passwords in logs
              alesj

              Leaving us with 1) and 3) - joining the two items.

              Perhaps there is no need to put this into commons,
              since it's really an implementation detail of AS.

              I would then put it somewhere in AS,
              making it as configurable as possible,
              and definitely used by all - single point of masking.

              • 4. Re: Masking passwords in logs

                Why doesn't this solve the problem?
                http://www.jboss.org/community/docs/DOC-9350
                http://www.jboss.org/community/docs/DOC-9703

                Even if you mask the password in the log, if it is an MBean attribute, it will
                be visible via JMX (and the user has access).

                Additionally since we recommend changing the log level to INFO
                for production anyway, none of this will appear in the log.

                • 5. Re: Masking passwords in logs
                  mmoyses

                  Adrian,
                  the problem is that datasources and JCA login modules are not the only place where passwords are in plain text. There are some mbeans that don't provide a means for encryption, like SuckerPassword from messaging-service.xml, suckerPassword from messaging-jboss-beans.xml or Password from mail-service.xml.

                  • 6. Re: Masking passwords in logs

                     

                    "mmoyses" wrote:
                    Adrian,
                    the problem is that datasources and JCA login modules are not the only place where passwords are in plain text. There are some mbeans that don't provide a means for encryption, like SuckerPassword from messaging-service.xml, suckerPassword from messaging-jboss-beans.xml or Password from mail-service.xml.


                    Then these need to be fixed to accept security-domain configurations.

                    • 7. Re: Masking passwords in logs
                      anil.saldhana

                       

                      "adrian@jboss.org" wrote:
                      Why doesn't this solve the problem?
                      http://www.jboss.org/community/docs/DOC-9350
                      http://www.jboss.org/community/docs/DOC-9703

                      That solves the issue for JCA. But what if the user has not done the encryption and log is set to debug (community version). Logs are long lived beasts. I only have an issue with JBoss core infrastructure chewing out attribute values in debug mode when the values can be passwords.

                      "adrian@jboss.org" wrote:

                      Even if you mask the password in the log, if it is an MBean attribute, it will
                      be visible via JMX (and the user has access).


                      If we try to fix this. It will only get complicated. Visually, it would prohibit the update of the password.

                      "adrian@jboss.org" wrote:

                      Additionally since we recommend changing the log level to INFO
                      for production anyway, none of this will appear in the log.


                      I am not sure that everyone follows the recommendations.

                      We are not trying to make passwords totally invisible. All we are trying to do is a trivial mask to passwords in the log (we may not get a 100% hit with the masking).


                      • 8. Re: Masking passwords in logs
                        anil.saldhana

                         

                        "adrian@jboss.org" wrote:
                        "mmoyses" wrote:
                        Adrian,
                        the problem is that datasources and JCA login modules are not the only place where passwords are in plain text. There are some mbeans that don't provide a means for encryption, like SuckerPassword from messaging-service.xml, suckerPassword from messaging-jboss-beans.xml or Password from mail-service.xml.


                        Then these need to be fixed to accept security-domain configurations.


                        I agree. We need to make these accept Password based encryption (PBE) schemes.

                        • 9. Re: Masking passwords in logs

                           

                          "adrian@jboss.org" wrote:
                          "mmoyses" wrote:
                          Adrian,
                          the problem is that datasources and JCA login modules are not the only place where passwords are in plain text. There are some mbeans that don't provide a means for encryption, like SuckerPassword from messaging-service.xml, suckerPassword from messaging-jboss-beans.xml or Password from mail-service.xml.


                          Then these need to be fixed to accept security-domain configurations.


                          Or more accurately, SubjectFactory injection:
                          https://jira.jboss.org/jira/browse/JBAS-5067

                          • 10. Re: Masking passwords in logs

                             

                            "anil.saldhana@jboss.com" wrote:

                            "adrian@jboss.org" wrote:

                            Even if you mask the password in the log, if it is an MBean attribute, it will
                            be visible via JMX (and the user has access).


                            If we try to fix this. It will only get complicated. Visually, it would prohibit the update of the password.


                            The MBeans could be coded such that there is no getPassword()?
                            i.e. they are write only.

                            • 11. Re: Masking passwords in logs
                              anil.saldhana

                              https://jira.jboss.org/jira/browse/JBAS-6073
                              I created a Jira issue for migration of password based configuration.