Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Daniel Kempf
Liferay Password Storage
February 16, 2012 8:04 AM
Answer

Daniel Kempf

Rank: New Member

Posts: 15

Join Date: April 22, 2011

Recent Posts

Today I found out, that my password is written in plain-text to the log files. How can that happen?

Could anyone explain, why Liferay is storing my unencrypted password in my user session? Is it required for HTTP-Auth and IFrames?

I am using LDAP-Auth against an AD and the passwords in the user_ table is encrypted.

The lines in the log file exposing my password contains look like this:


15:05:59,861 ERROR [SerialDestination:104] Unable to process message {destinationName=liferay/document_library_pdf_processor, response=null, responseDestinationName=null, responseId=null, payload=com.liferay.portal.repository.liferayrepository.model.LiferayFileVersion@a11664, values={principalPassword=xxx, principalName=11202, companyId=10154}}
com.liferay.portal.kernel.messaging.MessageListenerException: com.liferay.portal.kernel.process.ProcessException: org.im4java.core.CommandException: GPL Ghostscript 8.71: Unrecoverable error, exit code 1
David H Nebinger
RE: Liferay Password Storage
February 16, 2012 10:32 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 6476

Join Date: September 1, 2006

Recent Posts

If you check the LiferayFileVersion implementation, you'd see that it is just holding a map of attributes, and since the map doesn't know it's holding a password, it just dumps it out.
Daniel Kempf
RE: Liferay Password Storage
February 16, 2012 2:24 PM
Answer

Daniel Kempf

Rank: New Member

Posts: 15

Join Date: April 22, 2011

Recent Posts

Thank you for your response. However, I was trying to find out why the map holds the password in the first place.

A similar issue was documented here http://issues.liferay.com/browse/LPS-20109, so I assume that there might be more possible log-entries containing users password.

Does this occur in the Enterprise Edition of the portal as well?
Hitoshi Ozawa
RE: Liferay Password Storage
February 16, 2012 2:47 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7990

Join Date: March 23, 2010

Recent Posts

Instead of commenting on a closed issue, it's probably better to create a new issue and mark priority and "critical".
However, you'll need to provide clear steps to reproduce the error because as you can see from the issue you've pointed out,
Liferay staff tends to close issues they can't reproduce.

Also, I hope you're using 6.1.0GA1 because if you're not, they usually tell you to upgrade. Additional note, 6.1.0 EE is still not out.
David H Nebinger
RE: Liferay Password Storage
February 16, 2012 2:51 PM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 6476

Join Date: September 1, 2006

Recent Posts

He's using some variant of 6.1 because the LiferayFileVersion class does not exist in the 6.0 series...
Daniel Kempf
RE: Liferay Password Storage
February 16, 2012 2:52 PM
Answer

Daniel Kempf

Rank: New Member

Posts: 15

Join Date: April 22, 2011

Recent Posts

6.1 CE GA1 (Tomcat Bundle)
Hitoshi Ozawa
RE: Liferay Password Storage
February 16, 2012 3:14 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7990

Join Date: March 23, 2010

Recent Posts

He's using some variant of 6.1 because the LiferayFileVersion class does not exist in the 6.0 series...


It's here:
liferay-portal-src-6.1.0-ce-rc1\portal-impl\src\com\liferay\portal\repository\liferayrepository\model\LiferayFileVersion.java
David H Nebinger
RE: Liferay Password Storage
February 16, 2012 7:28 PM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 6476

Join Date: September 1, 2006

Recent Posts

Well I knew that, Hitoshi, that's where I found the map... emoticon
Hitoshi Ozawa
RE: Liferay Password Storage
February 16, 2012 8:17 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7990

Join Date: March 23, 2010

Recent Posts

Sorry David, mistook your comment. I wanted to make sure he was using GA1. I've check the trunk to make sure it wasn't corrected there.
So this is a critical security bug.
Daniel Kempf
RE: Liferay Password Storage
February 17, 2012 1:28 AM
Answer

Daniel Kempf

Rank: New Member

Posts: 15

Join Date: April 22, 2011

Recent Posts

I have filed a bug report here: http://issues.liferay.com/browse/LPS-25638.

Thank you David and Hitoshi for the support. Still I am wondering why Liferay stores my password information in the session. Is there any way to turn that off? E.g. a switch in portal.properties?

Is it required, that the password is kept in memory? Would this change if I was using JAAS authentication?
Daniel Kempf
RE: Liferay Password Storage
February 19, 2012 6:52 AM
Answer

Daniel Kempf

Rank: New Member

Posts: 15

Join Date: April 22, 2011

Recent Posts

To conclude this topic, I would like to share a statement that I received from Mika Koivisto:

Tested the attached pdf against latest master branch and the exception is no longer logged.

Plain text password is required to interact with remote repositories. Setting session.store.password property to false in your portal-ext.properties should disable it being stored.
Julio Varela Gómez
RE: Liferay Password Storage
April 24, 2012 2:37 AM
Answer

Julio Varela Gómez

Rank: Regular Member

Posts: 124

Join Date: January 14, 2008

Recent Posts

same problem but was solved with:
session.store.password = false

What I did was modify the class com.liferay.portal.kernel.messaging;
which is where the error is displayed:

_log.error (
"Unable to process message" + message, mle);

Change to:

message.put (
"principalPassword" "XXXXXXXXXXXXXXXXXXXXXXXXX");
_log.error (
"Unable to process message" + message, mle);

problem solved