Uploaded image for project: 'i2b2 Core Software'
  1. i2b2 Core Software
  2. CORE-158

JBoss server log contains password information when debug is turned on

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 1.7.04
    • 1.7.05
    • PM Cell, XML
    • None
    • i2b2 Core
    • All databases
    • All Web Browsers
    • Hide
      Tested with Mike Mendis and the password no longer displays. The tags for the password are sent in the xml but the actually password is replaced with asterisks.

      This issue is now working correctly and can be included in the 1.7.05 release.
      Show
      Tested with Mike Mendis and the password no longer displays. The tags for the password are sent in the xml but the actually password is replaced with asterisks. This issue is now working correctly and can be included in the 1.7.05 release.

    Description

      In the JBoss server log for the edu.harvard.i2b2.pm.ws.PMService::Received Request PDO Element, the user password is displaying in the <security> section.

      Although this information is only displayed when the DEBUG level is turned on it can be problematic for those sites that do not have their passwords encrypted. Encrypted passwords will display an encrypted Session Key instead of the password. This session key does time out and can not be used when logging into either the i2b2 Web Client or the Workbench. It can however be used to access the server if the user viewing the logs has a method of querying the server directly.

      Bottom line is user passwords should not display in the JBoss logs regardless of whether or not DEBUG is turned on.

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          jmd86 Janice Donahoe created issue -
          jmd86 Janice Donahoe made changes -
          Field Original Value New Value
          Assignee Mike Mendis [ mem61 ]
          i2b2 Sponsored Project/s i2b2 Core [ 10196 ]
          Status New [ 10000 ] Open [ 1 ]
          jmd86 Janice Donahoe made changes -
          Fix Version/s 1.7.05 [ 10164 ]
          mem61 Mike Mendis made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          mem61 Mike Mendis made changes -
          Assignee Mike Mendis [ mem61 ] Janice Donahoe [ jmd86 ]
          Status In Progress [ 3 ] Ready to Test [ 10001 ]
          jmd86 Janice Donahoe made changes -
          Status Ready to Test [ 10001 ] Testing [ 10002 ]
          jmd86 Janice Donahoe made changes -
          Testing Notes Tested with Mike Mendis and the password no longer displays. The tags for the password are sent in the xml but the actually password is replaced with asterisks.

          This issue is now working correctly and can be included in the 1.7.05 release.
          Status Testing [ 10002 ] Testing [ 10002 ]
          jmd86 Janice Donahoe made changes -
          Resolution Fixed [ 1 ]
          Status Testing [ 10002 ] Resolved [ 5 ]
          jmd86 Janice Donahoe added a comment -
          Version 1.7.05 of the i2b2 Software has been released and is available for download on the i2b2 website (http://www.i2b2.org/software).
          jmd86 Janice Donahoe added a comment - Version 1.7.05 of the i2b2 Software has been released and is available for download on the i2b2 website ( http://www.i2b2.org/software ).
          jmd86 Janice Donahoe made changes -
          Status Resolved [ 5 ] Closed [ 6 ]

          People

            jmd86 Janice Donahoe
            jmd86 Janice Donahoe
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: