Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1065315

Summary: Plaintext password is logged in server.log if enabling DEBUG for BPM Suite 6
Product: [Retired] JBoss BPMS Platform 6 Reporter: Amana <ajuricic>
Component: Business CentralAssignee: Alexandre Porcelli <porcelli>
Status: CLOSED EOL QA Contact: Marián Macik <mmacik>
Severity: low Docs Contact:
Priority: high    
Version: 6.0.0CC: ajuricic, bbaranow, kverlaen, mbaluch, rrajasek
Target Milestone: CR1   
Target Release: 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 20:07:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1210388    
Bug Blocks:    

Description Amana 2014-02-14 10:47:10 UTC 
** Description of problem:

When the JBoss EAP 6.1.1 (on which it is installed BPM Suite 6) is started with DEBUG enabled, the password is logged in server.log after logging into business-central.

13:36:37,595 DEBUG [org.apache.coyote.http11] (http-/10.10.7.34:8080-1) JBWEB003028: Start processing with input [j_username=jroy&j_password=Passboba123%21]

** Version-Release number of selected component (if applicable):

BPM Suite/BRMS6 GA

** How reproducible:

Always

** Steps to Reproduce:

1. Enable DEBUG in standalone.xml as follows:

            <root-logger>
                <level name="DEBUG"/>
                <handlers>
                    <handler name="CONSOLE"/>
                    <handler name="FILE"/>
                </handlers>
            </root-logger>

2. Start the server
3. Logging into business-central
4. Look for "&j_password=" in server.log

** Actual results:

13:36:37,595 DEBUG [org.apache.coyote.http11] (http-/10.10.7.34:8080-1) JBWEB003028: Start processing with input [j_username=jroy&j_password=Passboba123%21]

** Expected results:

Password should not be logged in server.log or it should be encrypted.
Comment 2 Alexandre Porcelli 2014-02-24 14:56:35 UTC 
This doesn't look like a BRMS/BPMS issue, it looks like an issue with TOMCAT/JBOSS. Seems that are other people facing simular issues:

http://stackoverflow.com/questions/21471190/how-to-configure-jboss-tomcat-to-prevent-j-password-plain-text-content-in-log-fi

(i'm not sure if we can workaournd this)
Comment 7 Marek Baluch 2014-09-09 13:40:23 UTC 
Attempted to verify using EAP 6.3 GA located here:

http://download.devel.redhat.com/released/JBEAP-6/6.3.0/jboss-eap-6.3.0.zip

and BPMS 6.1.0.DR2.

This is not yet fixed.
Comment 8 Rajesh Rajasekaran 2014-12-08 21:00:32 UTC 
(In reply to Marek Baluch from comment #7)
> Attempted to verify using EAP 6.3 GA located here:
> 
> http://download.devel.redhat.com/released/JBEAP-6/6.3.0/jboss-eap-6.3.0.zip
> 
> and BPMS 6.1.0.DR2.
> 
> This is not yet fixed.

The EAP team has verified this issue with EAP 6.3.0 - https://bugzilla.redhat.com/show_bug.cgi?id=1063645
Can you check with the EAP QE team to see how this was addressed?
Comment 9 Kris Verlaenen 2015-02-06 12:38:37 UTC 
Moving to MODIFIED for verification.
Comment 11 Alexandre Porcelli 2015-11-16 15:16:36 UTC 
Moving to MODIFIED for verification.
Comment 12 Marián Macik 2015-11-23 11:54:43 UTC 
A password is no longer present in the logs with 6.2.0.CR1. Marking as verified.