Uploaded image for project: 'i2b2 Core Software'
  1. i2b2 Core Software
  2. CORE-158

JBoss server log contains password information when debug is turned on

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 1.7.04
    • 1.7.05
    • PM Cell, XML
    • None
    • i2b2 Core
    • All databases
    • All Web Browsers
    • Hide
      Tested with Mike Mendis and the password no longer displays. The tags for the password are sent in the xml but the actually password is replaced with asterisks.

      This issue is now working correctly and can be included in the 1.7.05 release.
      Show
      Tested with Mike Mendis and the password no longer displays. The tags for the password are sent in the xml but the actually password is replaced with asterisks. This issue is now working correctly and can be included in the 1.7.05 release.

    Description

      In the JBoss server log for the edu.harvard.i2b2.pm.ws.PMService::Received Request PDO Element, the user password is displaying in the <security> section.

      Although this information is only displayed when the DEBUG level is turned on it can be problematic for those sites that do not have their passwords encrypted. Encrypted passwords will display an encrypted Session Key instead of the password. This session key does time out and can not be used when logging into either the i2b2 Web Client or the Workbench. It can however be used to access the server if the user viewing the logs has a method of querying the server directly.

      Bottom line is user passwords should not display in the JBoss logs regardless of whether or not DEBUG is turned on.

      Attachments

        Activity

          People

            jmd86 Janice Donahoe
            jmd86 Janice Donahoe
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: