Foros de discusión

RE: Liferay Password Storage

thumbnail
Daniel Kempf, modificado hace 12 años.

Liferay Password Storage

New Member Mensajes: 15 Fecha de incorporación: 22/04/11 Mensajes recientes
Today I found out, that my password is written in plain-text to the log files. How can that happen?

Could anyone explain, why Liferay is storing my unencrypted password in my user session? Is it required for HTTP-Auth and IFrames?

I am using LDAP-Auth against an AD and the passwords in the user_ table is encrypted.

The lines in the log file exposing my password contains look like this:


15:05:59,861 ERROR [SerialDestination:104] Unable to process message {destinationName=liferay/document_library_pdf_processor, response=null, responseDestinationName=null, responseId=null, payload=com.liferay.portal.repository.liferayrepository.model.LiferayFileVersion@a11664, values={principalPassword=xxx, principalName=11202, companyId=10154}}
com.liferay.portal.kernel.messaging.MessageListenerException: com.liferay.portal.kernel.process.ProcessException: org.im4java.core.CommandException: GPL Ghostscript 8.71: Unrecoverable error, exit code 1
thumbnail
David H Nebinger, modificado hace 12 años.

RE: Liferay Password Storage

Liferay Legend Mensajes: 14914 Fecha de incorporación: 2/09/06 Mensajes recientes
If you check the LiferayFileVersion implementation, you'd see that it is just holding a map of attributes, and since the map doesn't know it's holding a password, it just dumps it out.
thumbnail
Daniel Kempf, modificado hace 12 años.

RE: Liferay Password Storage

New Member Mensajes: 15 Fecha de incorporación: 22/04/11 Mensajes recientes
Thank you for your response. However, I was trying to find out why the map holds the password in the first place.

A similar issue was documented here http://issues.liferay.com/browse/LPS-20109, so I assume that there might be more possible log-entries containing users password.

Does this occur in the Enterprise Edition of the portal as well?
thumbnail
Hitoshi Ozawa, modificado hace 12 años.

RE: Liferay Password Storage

Liferay Legend Mensajes: 7942 Fecha de incorporación: 24/03/10 Mensajes recientes
Instead of commenting on a closed issue, it's probably better to create a new issue and mark priority and "critical".
However, you'll need to provide clear steps to reproduce the error because as you can see from the issue you've pointed out,
Liferay staff tends to close issues they can't reproduce.

Also, I hope you're using 6.1.0GA1 because if you're not, they usually tell you to upgrade. Additional note, 6.1.0 EE is still not out.
thumbnail
David H Nebinger, modificado hace 12 años.

RE: Liferay Password Storage

Liferay Legend Mensajes: 14914 Fecha de incorporación: 2/09/06 Mensajes recientes
He's using some variant of 6.1 because the LiferayFileVersion class does not exist in the 6.0 series...
thumbnail
Daniel Kempf, modificado hace 12 años.

RE: Liferay Password Storage

New Member Mensajes: 15 Fecha de incorporación: 22/04/11 Mensajes recientes
6.1 CE GA1 (Tomcat Bundle)
thumbnail
Hitoshi Ozawa, modificado hace 12 años.

RE: Liferay Password Storage

Liferay Legend Mensajes: 7942 Fecha de incorporación: 24/03/10 Mensajes recientes
He's using some variant of 6.1 because the LiferayFileVersion class does not exist in the 6.0 series...


It's here:
liferay-portal-src-6.1.0-ce-rc1\portal-impl\src\com\liferay\portal\repository\liferayrepository\model\LiferayFileVersion.java
thumbnail
David H Nebinger, modificado hace 12 años.

RE: Liferay Password Storage

Liferay Legend Mensajes: 14914 Fecha de incorporación: 2/09/06 Mensajes recientes
Well I knew that, Hitoshi, that's where I found the map... emoticon
thumbnail
Hitoshi Ozawa, modificado hace 12 años.

RE: Liferay Password Storage

Liferay Legend Mensajes: 7942 Fecha de incorporación: 24/03/10 Mensajes recientes
Sorry David, mistook your comment. I wanted to make sure he was using GA1. I've check the trunk to make sure it wasn't corrected there.
So this is a critical security bug.
thumbnail
Daniel Kempf, modificado hace 12 años.

RE: Liferay Password Storage

New Member Mensajes: 15 Fecha de incorporación: 22/04/11 Mensajes recientes
I have filed a bug report here: http://issues.liferay.com/browse/LPS-25638.

Thank you David and Hitoshi for the support. Still I am wondering why Liferay stores my password information in the session. Is there any way to turn that off? E.g. a switch in portal.properties?

Is it required, that the password is kept in memory? Would this change if I was using JAAS authentication?
thumbnail
Daniel Kempf, modificado hace 12 años.

RE: Liferay Password Storage (Respuesta)

New Member Mensajes: 15 Fecha de incorporación: 22/04/11 Mensajes recientes
To conclude this topic, I would like to share a statement that I received from Mika Koivisto:

Tested the attached pdf against latest master branch and the exception is no longer logged.

Plain text password is required to interact with remote repositories. Setting session.store.password property to false in your portal-ext.properties should disable it being stored.
thumbnail
Julio Varela Gómez, modificado hace 11 años.

RE: Liferay Password Storage

Regular Member Mensajes: 130 Fecha de incorporación: 14/01/08 Mensajes recientes
same problem but was solved with:
session.store.password = false

What I did was modify the class com.liferay.portal.kernel.messaging;
which is where the error is displayed:

_log.error (
"Unable to process message" + message, mle);

Change to:

message.put (
"principalPassword" "XXXXXXXXXXXXXXXXXXXXXXXXX");
_log.error (
"Unable to process message" + message, mle);

problem solved