留言板
Liferay Password Storage
Today I found out, that my password is written in plain-text to the log files. How can that happen?
Could anyone explain, why Liferay is storing my unencrypted password in my user session? Is it required for HTTP-Auth and IFrames?
I am using LDAP-Auth against an AD and the passwords in the user_ table is encrypted.
The lines in the log file exposing my password contains look like this:
Could anyone explain, why Liferay is storing my unencrypted password in my user session? Is it required for HTTP-Auth and IFrames?
I am using LDAP-Auth against an AD and the passwords in the user_ table is encrypted.
The lines in the log file exposing my password contains look like this:
15:05:59,861 ERROR [SerialDestination:104] Unable to process message {destinationName=liferay/document_library_pdf_processor, response=null, responseDestinationName=null, responseId=null, payload=com.liferay.portal.repository.liferayrepository.model.LiferayFileVersion@a11664, values={principalPassword=xxx, principalName=11202, companyId=10154}}
com.liferay.portal.kernel.messaging.MessageListenerException: com.liferay.portal.kernel.process.ProcessException: org.im4java.core.CommandException: GPL Ghostscript 8.71: Unrecoverable error, exit code 1
If you check the LiferayFileVersion implementation, you'd see that it is just holding a map of attributes, and since the map doesn't know it's holding a password, it just dumps it out.
Thank you for your response. However, I was trying to find out why the map holds the password in the first place.
A similar issue was documented here http://issues.liferay.com/browse/LPS-20109, so I assume that there might be more possible log-entries containing users password.
Does this occur in the Enterprise Edition of the portal as well?
A similar issue was documented here http://issues.liferay.com/browse/LPS-20109, so I assume that there might be more possible log-entries containing users password.
Does this occur in the Enterprise Edition of the portal as well?
Instead of commenting on a closed issue, it's probably better to create a new issue and mark priority and "critical".
However, you'll need to provide clear steps to reproduce the error because as you can see from the issue you've pointed out,
Liferay staff tends to close issues they can't reproduce.
Also, I hope you're using 6.1.0GA1 because if you're not, they usually tell you to upgrade. Additional note, 6.1.0 EE is still not out.
However, you'll need to provide clear steps to reproduce the error because as you can see from the issue you've pointed out,
Liferay staff tends to close issues they can't reproduce.
Also, I hope you're using 6.1.0GA1 because if you're not, they usually tell you to upgrade. Additional note, 6.1.0 EE is still not out.
He's using some variant of 6.1 because the LiferayFileVersion class does not exist in the 6.0 series...
He's using some variant of 6.1 because the LiferayFileVersion class does not exist in the 6.0 series...
It's here:
liferay-portal-src-6.1.0-ce-rc1\portal-impl\src\com\liferay\portal\repository\liferayrepository\model\LiferayFileVersion.java
I have filed a bug report here: http://issues.liferay.com/browse/LPS-25638.
Thank you David and Hitoshi for the support. Still I am wondering why Liferay stores my password information in the session. Is there any way to turn that off? E.g. a switch in portal.properties?
Is it required, that the password is kept in memory? Would this change if I was using JAAS authentication?
Thank you David and Hitoshi for the support. Still I am wondering why Liferay stores my password information in the session. Is there any way to turn that off? E.g. a switch in portal.properties?
Is it required, that the password is kept in memory? Would this change if I was using JAAS authentication?
To conclude this topic, I would like to share a statement that I received from Mika Koivisto:
Tested the attached pdf against latest master branch and the exception is no longer logged.
Plain text password is required to interact with remote repositories. Setting session.store.password property to false in your portal-ext.properties should disable it being stored.
Julio Varela Gómez,修改在12 年前。
RE: Liferay Password Storage
Regular Member 帖子: 130 加入日期: 08-1-14 最近的帖子
same problem but was solved with:
session.store.password = false
What I did was modify the class com.liferay.portal.kernel.messaging;
which is where the error is displayed:
_log.error (
"Unable to process message" + message, mle);
Change to:
message.put (
"principalPassword" "XXXXXXXXXXXXXXXXXXXXXXXXX");
_log.error (
"Unable to process message" + message, mle);
problem solved
session.store.password = false
What I did was modify the class com.liferay.portal.kernel.messaging;
which is where the error is displayed:
_log.error (
"Unable to process message" + message, mle);
Change to:
message.put (
"principalPassword" "XXXXXXXXXXXXXXXXXXXXXXXXX");
_log.error (
"Unable to process message" + message, mle);
problem solved