Projects‎ > ‎

Logging Password Data: Authentication

Overview

User authentication processes are logging credentials (password) in clear text. This data should not be records in the logs

An issue has been created.

Workaround

Until this issue is resolved, password data (and all data) will not be written to the logs if the debug level is set to 0 (zero).

Scope

There are a number of mechanisms that could cause password data to be written to a log file. This table lists all the known mechanisms that would need to be modified.

Name Description Used Classes
Servlet Filter The ServletAuthFilter collects HTTP Header data which might include user Password information The HTTP Header is written to the log file when debugging is turned on ServletAuthFilter
Id/Password Authenticator The ServletFilter can (if configured) invoke an Authenticator that processes the user's Id and Password. The user's password may be written to the log file if debugging is turned on Authenticator
IdPassAuthenticator
IdPassServiceAuthenticator
IdPassSystemAuthenticator

Servlet Filter

A prototype design encrypts values that have a name of password. The encrypted value would be shown in the logs, instead of the clear text value.

Id/Password Authenticator

A prototype design encrypts values that have a name of password. The encrypted value would be shown in the logs, instead of the clear text value.