[CORE-158] JBoss server log contains password information when debug is turned on - i2b2 JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.7.04
Fix Version/s: 1.7.05
Component/s: PM Cell, XML
Labels:
None

Rank:
0|i001kn:

i2b2 Sponsored Project/s:

i2b2 Core

Affects Database/s:

All databases
Affects Web Browser/s:

All Web Browsers

Testing Notes:

Hide
Tested with Mike Mendis and the password no longer displays. The tags for the password are sent in the xml but the actually password is replaced with asterisks.

This issue is now working correctly and can be included in the 1.7.05 release.

Show
Tested with Mike Mendis and the password no longer displays. The tags for the password are sent in the xml but the actually password is replaced with asterisks. This issue is now working correctly and can be included in the 1.7.05 release.

Description

In the JBoss server log for the edu.harvard.i2b2.pm.ws.PMService::Received Request PDO Element, the user password is displaying in the <security> section.

Although this information is only displayed when the DEBUG level is turned on it can be problematic for those sites that do not have their passwords encrypted. Encrypted passwords will display an encrypted Session Key instead of the password. This session key does time out and can not be used when logging into either the i2b2 Web Client or the Workbench. It can however be used to access the server if the user viewing the logs has a method of querying the server directly.

Bottom line is user passwords should not display in the JBoss logs regardless of whether or not DEBUG is turned on.

Attachments

Activity

People

Assignee:: Janice Donahoe

Reporter:: Janice Donahoe

Participant/s:: Janice Donahoe

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 20/Jan/15 9:48 AM

Updated:: 12/May/15 10:51 AM

Resolved:: 11/Mar/15 2:52 PM