Fórumok
RE: Liferay Password Storage
Daniel Kempf, módosítva 12 év-val korábban
Liferay Password Storage
New Member Bejegyzések: 15 Csatlakozás dátuma: 2011.04.22. Legújabb bejegyzések
Today I found out, that my password is written in plain-text to the log files. How can that happen?
Could anyone explain, why Liferay is storing my unencrypted password in my user session? Is it required for HTTP-Auth and IFrames?
I am using LDAP-Auth against an AD and the passwords in the user_ table is encrypted.
The lines in the log file exposing my password contains look like this:
Could anyone explain, why Liferay is storing my unencrypted password in my user session? Is it required for HTTP-Auth and IFrames?
I am using LDAP-Auth against an AD and the passwords in the user_ table is encrypted.
The lines in the log file exposing my password contains look like this:
15:05:59,861 ERROR [SerialDestination:104] Unable to process message {destinationName=liferay/document_library_pdf_processor, response=null, responseDestinationName=null, responseId=null, payload=com.liferay.portal.repository.liferayrepository.model.LiferayFileVersion@a11664, values={principalPassword=xxx, principalName=11202, companyId=10154}}
com.liferay.portal.kernel.messaging.MessageListenerException: com.liferay.portal.kernel.process.ProcessException: org.im4java.core.CommandException: GPL Ghostscript 8.71: Unrecoverable error, exit code 1
David H Nebinger, módosítva 12 év-val korábban
RE: Liferay Password Storage
Liferay Legend Bejegyzések: 14916 Csatlakozás dátuma: 2006.09.02. Legújabb bejegyzések
If you check the LiferayFileVersion implementation, you'd see that it is just holding a map of attributes, and since the map doesn't know it's holding a password, it just dumps it out.
Daniel Kempf, módosítva 12 év-val korábban
RE: Liferay Password Storage
New Member Bejegyzések: 15 Csatlakozás dátuma: 2011.04.22. Legújabb bejegyzések
Thank you for your response. However, I was trying to find out why the map holds the password in the first place.
A similar issue was documented here http://issues.liferay.com/browse/LPS-20109, so I assume that there might be more possible log-entries containing users password.
Does this occur in the Enterprise Edition of the portal as well?
A similar issue was documented here http://issues.liferay.com/browse/LPS-20109, so I assume that there might be more possible log-entries containing users password.
Does this occur in the Enterprise Edition of the portal as well?
Hitoshi Ozawa, módosítva 12 év-val korábban
RE: Liferay Password Storage
Liferay Legend Bejegyzések: 7942 Csatlakozás dátuma: 2010.03.24. Legújabb bejegyzések
Instead of commenting on a closed issue, it's probably better to create a new issue and mark priority and "critical".
However, you'll need to provide clear steps to reproduce the error because as you can see from the issue you've pointed out,
Liferay staff tends to close issues they can't reproduce.
Also, I hope you're using 6.1.0GA1 because if you're not, they usually tell you to upgrade. Additional note, 6.1.0 EE is still not out.
However, you'll need to provide clear steps to reproduce the error because as you can see from the issue you've pointed out,
Liferay staff tends to close issues they can't reproduce.
Also, I hope you're using 6.1.0GA1 because if you're not, they usually tell you to upgrade. Additional note, 6.1.0 EE is still not out.
David H Nebinger, módosítva 12 év-val korábban
RE: Liferay Password Storage
Liferay Legend Bejegyzések: 14916 Csatlakozás dátuma: 2006.09.02. Legújabb bejegyzések
He's using some variant of 6.1 because the LiferayFileVersion class does not exist in the 6.0 series...
Daniel Kempf, módosítva 12 év-val korábban
RE: Liferay Password Storage
New Member Bejegyzések: 15 Csatlakozás dátuma: 2011.04.22. Legújabb bejegyzések
6.1 CE GA1 (Tomcat Bundle)
Hitoshi Ozawa, módosítva 12 év-val korábban
RE: Liferay Password Storage
Liferay Legend Bejegyzések: 7942 Csatlakozás dátuma: 2010.03.24. Legújabb bejegyzésekHe's using some variant of 6.1 because the LiferayFileVersion class does not exist in the 6.0 series...
It's here:
liferay-portal-src-6.1.0-ce-rc1\portal-impl\src\com\liferay\portal\repository\liferayrepository\model\LiferayFileVersion.java
David H Nebinger, módosítva 12 év-val korábban
RE: Liferay Password Storage
Liferay Legend Bejegyzések: 14916 Csatlakozás dátuma: 2006.09.02. Legújabb bejegyzések
Well I knew that, Hitoshi, that's where I found the map...
Hitoshi Ozawa, módosítva 12 év-val korábban
RE: Liferay Password Storage
Liferay Legend Bejegyzések: 7942 Csatlakozás dátuma: 2010.03.24. Legújabb bejegyzések
Sorry David, mistook your comment. I wanted to make sure he was using GA1. I've check the trunk to make sure it wasn't corrected there.
So this is a critical security bug.
So this is a critical security bug.
Daniel Kempf, módosítva 12 év-val korábban
RE: Liferay Password Storage
New Member Bejegyzések: 15 Csatlakozás dátuma: 2011.04.22. Legújabb bejegyzések
I have filed a bug report here: http://issues.liferay.com/browse/LPS-25638.
Thank you David and Hitoshi for the support. Still I am wondering why Liferay stores my password information in the session. Is there any way to turn that off? E.g. a switch in portal.properties?
Is it required, that the password is kept in memory? Would this change if I was using JAAS authentication?
Thank you David and Hitoshi for the support. Still I am wondering why Liferay stores my password information in the session. Is there any way to turn that off? E.g. a switch in portal.properties?
Is it required, that the password is kept in memory? Would this change if I was using JAAS authentication?
Daniel Kempf, módosítva 12 év-val korábban
RE: Liferay Password Storage (Válasz)
New Member Bejegyzések: 15 Csatlakozás dátuma: 2011.04.22. Legújabb bejegyzések
To conclude this topic, I would like to share a statement that I received from Mika Koivisto:
Tested the attached pdf against latest master branch and the exception is no longer logged.
Plain text password is required to interact with remote repositories. Setting session.store.password property to false in your portal-ext.properties should disable it being stored.
Julio Varela Gómez, módosítva 11 év-val korábban
RE: Liferay Password Storage
Regular Member Bejegyzések: 130 Csatlakozás dátuma: 2008.01.14. Legújabb bejegyzések
same problem but was solved with:
session.store.password = false
What I did was modify the class com.liferay.portal.kernel.messaging;
which is where the error is displayed:
_log.error (
"Unable to process message" + message, mle);
Change to:
message.put (
"principalPassword" "XXXXXXXXXXXXXXXXXXXXXXXXX");
_log.error (
"Unable to process message" + message, mle);
problem solved
session.store.password = false
What I did was modify the class com.liferay.portal.kernel.messaging;
which is where the error is displayed:
_log.error (
"Unable to process message" + message, mle);
Change to:
message.put (
"principalPassword" "XXXXXXXXXXXXXXXXXXXXXXXXX");
_log.error (
"Unable to process message" + message, mle);
problem solved