[jboss-jira] [JBoss JIRA] (SECURITY-650) auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter ----------------------------------------------------------------------------------------------------------------------------- Key: SECURITY-650 URL: https://issues.jboss.org/browse/SECURITY-650 Project: PicketBox (JBoss Security and Identity Management) Issue Type: Bug Security Level: Public(Everyone can see) Components: PicketBox Affects Versions: JBossSecurity_2.0.4.SP9 Reporter: Tom Fonteyne Assignee: Tom Fonteyne Priority: Minor Fix For: PicketBox_v4_0_8.Final auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter See: jbosssx/​ src/​ main/​ java/​ org/​ jboss/​ security/​ authorization/​ resources/​ WebResource.java Headers filter: 180 if(headerName.contains("authorization") == false) 181 sb.append(httpRequest.getHeader(headerName)).append(","); No filtering for params: 197 sb.append(paramValues[i]).append("::");