Hello Keycloak Community,
I've encountered a logging issue using the DirectAccessGrantLoginModule
that can lead to clear-text passwords exposed in the logs.
In my application, i am leveraging Teiid for Database Virtualization, and
have secured its JDBC access using the DirectAccessGrantLoginModule in a
custom security domain. This is to allow users to access the data from JDBC
clients by providing username/password instead of a token
However, using this approach, when the login occurs, the LoginModule at
DEBUG level will use the apache wire library and log the following line:
2017-12-12 09:23:18,263 DEBUG [org.apache.http.wire] (NIO8) >>
"grant_type=password&username=MyUser&password=MyPassword&client_id=MyClient"
In the log line above, *MyPassword* will be in clear text, and visible to
anyone reviewing the logs.
Is there any way to leverage this Login Module (or make improvements) to
ensure the users clear-text password is not shown in the log for security
reasons? Perhaps an option or property that could encrypt/redact that
password for that log message?
I can add custom Wildfly loggers to not display messages from this package
at DEBUG, but it would be great if there was another option available to
avoid missing out on other messages from this package.
Thanks,
Joe
Show replies by date