Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1210388

Summary: Plain text password is logged at DEBUG level when FORM-based authentication is used
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Marián Macik <mmacik>
Component: SecurityAssignee: baranowb <bbaranow>
Status: CLOSED CURRENTRELEASE QA Contact: Radim Hatlapatka <rhatlapa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: anmiller, bbaranow, bdawidow, bmaxwell, jawilson, pskopek, rhatlapa, rmaucher
Target Milestone: CR1   
Target Release: EAP 6.4.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-17 10:54:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1065315, 1235744, 1246519    

Description Marián Macik 2015-04-09 14:58:58 UTC 
Description of problem:

When a FORM-based authentication is used, plain text password can be seen in a server.log when DEBUG level logging is active.

Steps to Reproduce:
1. Create application/site with FORM-based authentication.
2. Set logging level to DEBUG in standalone.xml and start the server.
3. Deploy.
4. Log in.
5. Search for "&j_password=" in server.log file.

Expected results:
Password should not be visible in a log as plain text.

It is the similar problem as BZ1063645 (see also), but it was only verified with HTTP Basic authentication method.
Comment 6 Rémy Maucherat 2015-05-20 11:28:40 UTC 
This is a debug dump logging for all parameters, this has nothing to do with form.

Similarly, there are request dumps filters that can be enabled and log the same thing, but I agree it is more legitimate there.
Comment 11 Rémy Maucherat 2015-09-01 11:56:34 UTC 
r2624 in web.
Comment 12 Radim Hatlapatka 2015-09-23 14:28:11 UTC 
Verified with EAP 6.4.4.CP.CR3
Comment 13 Petr Penicka 2017-01-17 10:54:55 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.
Comment 14 Petr Penicka 2017-01-17 10:55:51 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.