[jboss-jira] [JBoss JIRA] (SECURITY-650) auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter

Thursday, 8 March 2012

Tom Fonteyne created SECURITY-650:
-------------------------------------

             Summary: auditing is inconsistent: it filters out "authorization"
header but does not filter out the "j_password" form field parameter
                 Key: SECURITY-650
                 URL: https://issues.jboss.org/browse/SECURITY-650
             Project: PicketBox (JBoss Security and Identity Management)
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: PicketBox
    Affects Versions: JBossSecurity_2.0.4.SP9
            Reporter: Tom Fonteyne
            Assignee: Anil Saldhana
            Priority: Minor
             Fix For: PicketBox_v4_0_8.Final

auditing is inconsistent: it filters out "authorization" header but does not
filter out the "j_password" form field parameter

See: jbosssx/ src/ main/ java/ org/ jboss/ security/ authorization/ resources/
WebResource.java

Headers filter:
180 if(headerName.contains("authorization") == false)
181 sb.append(httpRequest.getHeader(headerName)).append(",");

No filtering for params:

197 sb.append(paramValues[i]).append("::");

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-jira] [JBoss JIRA] (SECURITY-650) auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter