[jboss-dev-forums] [Design of POJO Server] - Re: Masking passwords in logs
anil.saldhana@jboss.com
do-not-reply at jboss.com
Fri Oct 10 12:03:46 EDT 2008
"adrian at jboss.org" wrote : Why doesn't this solve the problem?
| http://www.jboss.org/community/docs/DOC-9350
| http://www.jboss.org/community/docs/DOC-9703
|
That solves the issue for JCA. But what if the user has not done the encryption and log is set to debug (community version). Logs are long lived beasts. I only have an issue with JBoss core infrastructure chewing out attribute values in debug mode when the values can be passwords.
"adrian at jboss.org" wrote :
| Even if you mask the password in the log, if it is an MBean attribute, it will
| be visible via JMX (and the user has access).
If we try to fix this. It will only get complicated. Visually, it would prohibit the update of the password.
"adrian at jboss.org" wrote :
| Additionally since we recommend changing the log level to INFO
| for production anyway, none of this will appear in the log.
I am not sure that everyone follows the recommendations.
We are not trying to make passwords totally invisible. All we are trying to do is a trivial mask to passwords in the log (we may not get a 100% hit with the masking).
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4181566#4181566
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4181566
More information about the jboss-dev-forums
mailing list