Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1080615

Summary: Enabling audit logging causes passwords to be logged in plain text
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Toufic Arabi <tarabi>
Component: LoggingAssignee: James Perkins <jperkins>
Status: CLOSED CURRENTRELEASE QA Contact: Nikoleta Hlavickova <nziakova>
Severity: high Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.1.1CC: brian.stansberry, jsightle
Target Milestone: ---   
Target Release: EAP 6.3.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-21 10:51:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
WAR file to illustrate password being logged in plain text in audit log none

Description Toufic Arabi 2014-03-25 19:19:46 UTC 
Created attachment 878644 [details]
WAR file to illustrate password being logged in plain text in audit log

Description of problem:


Version-Release number of selected component (if applicable): 6.2


How reproducible:


Steps to Reproduce:
configure audit logging (tested in domain mode)
<periodic-rotating-file-handler name="AUDIT" autoflush="true">
     <level name="TRACE"/>
     <formatter>
       <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
     </formatter>
     <file relative-to="jboss.server.log.dir" path="audit.log"/>
     <suffix value=".yyyy-MM-dd"/>
     <append value="true"/>
</periodic-rotating-file-handler>
<logger category="org.jboss.security.audit">
  <level name="TRACE"/>
   <handlers>
   <handler name="AUDIT"/>
   </handlers>
</logger>

deploy attached WAR file. Inspired from https://community.jboss.org/wiki/JBossAS7SecurityAuditing

create an application realm user with role testuser

hit http://host_name:port/form-auth
check ./domain/servers/server-one/log/audit.log

Actual results:
audit log file shows password (jboss) passed in in plain on failure or success

13:10:33,904 TRACE [org.jboss.security.audit] (http-/127.0.0.1:8080-1) [Failure]Source=org.jboss.as.web.security.JBossWebRealm;principal=null;request=[/form-auth:cookies=[Ljavax.servlet.http.Cookie;@1a79bc1c:headers=host=localhost:8080,user-agent=Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0,accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,accept-language=en-US,en;q=0.5,accept-encoding=gzip, deflate,referer=http://localhost:8080/form-auth/,cookie=JSESSIONID=BLxowDb3SAjFpOS7dVPHzOqE,connection=keep-alive,content-type=application/x-www-form-urlencoded,content-length=34,][parameters=jboss::,toufic::,][attributes=];

13:54:38,392 TRACE [org.jboss.security.audit] (http-localhost/127.0.0.1:8080-1) [Failure]Source=org.jboss.as.web.security.JBossWebRealm;principal=null;request=[/form-auth:cookies=[Ljavax.servlet.http.Cookie;@53465e1a:headers=host=localhost:8080,user-agent=Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0,accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,accept-language=en-US,en;q=0.5,accept-encoding=gzip, deflate,referer=http://localhost:8080/form-auth/,cookie=JSESSIONID=4I10J3r8gF9djExoBfwCTm2A,connection=keep-alive,content-type=application/x-www-form-urlencoded,content-length=34,][parameters=toufic::,jboss::,][attributes=];


Expected results:
remove password from audit log

Additional info:
Comment 1 Nikoleta Hlavickova 2014-07-21 10:51:52 UTC 
This issue is reported against older EAP version and cannot be reproduced against latest 6.3.0. bits, which means it was fixed earlier. Therefore, we are closing this bug. Thank you for reporting this issue.