[CORE-158] JBoss server log contains password information when debug is turned on Created: 20/Jan/15 Updated: 12/May/15 Resolved: 11/Mar/15 |
|
| Status: | Closed |
| Project: | i2b2 Core Software |
| Component/s: | PM Cell, XML |
| Affects Version/s: | 1.7.04 |
| Fix Version/s: | 1.7.05 |
| Type: | Bug | Priority: | Critical |
| Reporter: | Janice Donahoe | Assignee: | Janice Donahoe |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| i2b2 Sponsored Project/s: |
i2b2 Core
|
| Affects Database/s: |
All databases
|
| Affects Web Browser/s: |
All Web Browsers
|
| Testing Notes: | Tested with Mike Mendis and the password no longer displays. The tags for the password are sent in the xml but the actually password is replaced with asterisks.
This issue is now working correctly and can be included in the 1.7.05 release. |
| Participant/s: |
| Description |
|
In the JBoss server log for the edu.harvard.i2b2.pm.ws.PMService::Received Request PDO Element, the user password is displaying in the <security> section.
Although this information is only displayed when the DEBUG level is turned on it can be problematic for those sites that do not have their passwords encrypted. Encrypted passwords will display an encrypted Session Key instead of the password. This session key does time out and can not be used when logging into either the i2b2 Web Client or the Workbench. It can however be used to access the server if the user viewing the logs has a method of querying the server directly. Bottom line is user passwords should not display in the JBoss logs regardless of whether or not DEBUG is turned on. |
| Comments |
| Comment by Janice Donahoe [ 12/May/15 ] |
| Version 1.7.05 of the i2b2 Software has been released and is available for download on the i2b2 website (http://www.i2b2.org/software). |