2 Replies Latest reply on Dec 7, 2007 12:58 PM by Alexander Smirnov

    Password printed in JBoss server.log

    Daniel Monteiro Newbie


      I have a problem running an application on Jboss 4.0.5 and RichFaces 3.1.0 enabled. When I log in this application, my password is shown in server.log when DEBUG is enabled, in a line like this:

      2007-11-14 15:57:30,976 DEBUG [org.ajax4jsf.renderkit.AjaxContainerRenderer] Request parameters map {javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAN0AARfaWQzcHQACi9sb2dpbi5qc3A=, _idJsp0:_idcl=, _idJsp0:_idJsp8= PASSWORD , autoScroll=, _idJsp0:_idJsp11=Entrar, _idJsp0:_idJsp5=daniel, _idJsp0_SUBMIT=1, _idJsp0:_link_hidden_=}

      I have three environments in my organization (development, testing and production) and I can't control who can enable the Debug level and see the server.log files in each environment.

      This parameter is acquired in a JSP code using h:inputSecret, like this:
      <h:inputSecret value="#{autenticador.senha}" maxlength="8" size="10"/>

      I think it is a security problem in org.ajax4jsf.renderkit.AjaxContainerRenderer class, because it is not necessary to show secret information in the log file.

      Is there any way to hide this password parameter value?