]
Hisanobu Okuda updated WFLY-13838:
----------------------------------
Git Pull Request:
plain text j_password appears in the legacy audit log
-----------------------------------------------------
Key: WFLY-13838
URL:
https://issues.redhat.com/browse/WFLY-13838
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 20.0.1.Final
Reporter: Hisanobu Okuda
Assignee: Hisanobu Okuda
Priority: Major
Fix For: 21.0.0.Beta1
Attachments: web-form-auth.tar.gz
The unmasked value of j_password is written in the audit log as
`[parameters=guest::,guest::,]`.
{code}
12:48:45,385 TRACE [org.jboss.security.audit] (default task-1)
[Success]principal=guest;request=[/test:cookies=[javax.servlet.http.Cookie@46b3f22]:headers=Origin=http://localhost:8080,Cookie=JSESSIONID=dbDjUA6QeA2UXCyyPaqdSSgE4Kjd0_JvxUG7-pBx.localhost,Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8,User-Agent=Mozilla/5.0
(X11; Fedora; Linux x86_64; rv:79.0) Gecko/20100101
Firefox/79.0,Connection=keep-alive,Referer=http://localhost:8080/test/secure/index.jsp,Host=localhost:8080,Accept-Encoding=gzip,
deflate,DNT=1,Upgrade-Insecure-Requests=1,Accept-Language=en-US,en;q=0.5,Content-Length=33,Content-Type=application/x-www-form-urlencoded,][parameters=guest::,guest::,][attributes=];message=UT000030:
User guest successfully
authenticated.;Source=org.wildfly.extension.undertow.security.AuditNotificationReceiver;
{code}