[
https://issues.jboss.org/browse/SECURITY-651?page=com.atlassian.jira.plug...
]
Tom Fonteyne reassigned SECURITY-651:
-------------------------------------
Assignee: Tom Fonteyne (was: Anil Saldhana)
auditing is inconsistent: it filters out "authorization"
header but does not filter out the "j_password" form field parameter
-----------------------------------------------------------------------------------------------------------------------------
Key: SECURITY-651
URL:
https://issues.jboss.org/browse/SECURITY-651
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: PicketBox
Affects Versions: JBossSecurity_2.0.4.SP9
Environment: all
Reporter: Tom Fonteyne
Assignee: Tom Fonteyne
Priority: Minor
Fix For: JBossSecurity_2.0.4.SP9
auditing is inconsistent: it filters out "authorization" header but does not
filter out the "j_password" form field parameter
This got fixed in SECURITY-650 for the class:
jbosssx/ src/ main/ java/ org/ jboss/ security/ authorization/ resources/
WebResource.java
Also needs fixing in:
org/ jboss/ web/ tomcat/ security/ WebUtil.java
which is a (broken) copy of the former class method
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see:
http://www.atlassian.com/software/jira