留言板

  1. 主页
  2. Development
  3. Liferay Password Storage

Liferay Password Storage

thumbnail
Daniel Kempf,修改在12 年前。

Liferay Password Storage

New Member 帖子: 15 加入日期: 11-4-22 最近的帖子
Today I found out, that my password is written in plain-text to the log files. How can that happen?

Could anyone explain, why Liferay is storing my unencrypted password in my user session? Is it required for HTTP-Auth and IFrames?

I am using LDAP-Auth against an AD and the passwords in the user_ table is encrypted.

The lines in the log file exposing my password contains look like this:


15:05:59,861 ERROR [SerialDestination:104] Unable to process message {destinationName=liferay/document_library_pdf_processor, response=null, responseDestinationName=null, responseId=null, payload=com.liferay.portal.repository.liferayrepository.model.LiferayFileVersion@a11664, values={principalPassword=xxx, principalName=11202, companyId=10154}}
com.liferay.portal.kernel.messaging.MessageListenerException: com.liferay.portal.kernel.process.ProcessException: org.im4java.core.CommandException: GPL Ghostscript 8.71: Unrecoverable error, exit code 1
thumbnail
David H Nebinger,修改在12 年前。

RE: Liferay Password Storage

Liferay Legend 帖子: 14916 加入日期: 06-9-2 最近的帖子
If you check the LiferayFileVersion implementation, you'd see that it is just holding a map of attributes, and since the map doesn't know it's holding a password, it just dumps it out.
thumbnail
Daniel Kempf,修改在12 年前。

RE: Liferay Password Storage

New Member 帖子: 15 加入日期: 11-4-22 最近的帖子
Thank you for your response. However, I was trying to find out why the map holds the password in the first place.

A similar issue was documented here http://issues.liferay.com/browse/LPS-20109, so I assume that there might be more possible log-entries containing users password.

Does this occur in the Enterprise Edition of the portal as well?
thumbnail
Hitoshi Ozawa,修改在12 年前。

RE: Liferay Password Storage

Liferay Legend 帖子: 7942 加入日期: 10-3-24 最近的帖子
Instead of commenting on a closed issue, it's probably better to create a new issue and mark priority and "critical".
However, you'll need to provide clear steps to reproduce the error because as you can see from the issue you've pointed out,
Liferay staff tends to close issues they can't reproduce.

Also, I hope you're using 6.1.0GA1 because if you're not, they usually tell you to upgrade. Additional note, 6.1.0 EE is still not out.
thumbnail
David H Nebinger,修改在12 年前。

RE: Liferay Password Storage

Liferay Legend 帖子: 14916 加入日期: 06-9-2 最近的帖子
He's using some variant of 6.1 because the LiferayFileVersion class does not exist in the 6.0 series...
thumbnail
Daniel Kempf,修改在12 年前。

RE: Liferay Password Storage

New Member 帖子: 15 加入日期: 11-4-22 最近的帖子
6.1 CE GA1 (Tomcat Bundle)
thumbnail
Hitoshi Ozawa,修改在12 年前。

RE: Liferay Password Storage

Liferay Legend 帖子: 7942 加入日期: 10-3-24 最近的帖子
He's using some variant of 6.1 because the LiferayFileVersion class does not exist in the 6.0 series...


It's here:
liferay-portal-src-6.1.0-ce-rc1\portal-impl\src\com\liferay\portal\repository\liferayrepository\model\LiferayFileVersion.java
thumbnail
David H Nebinger,修改在12 年前。

RE: Liferay Password Storage

Liferay Legend 帖子: 14916 加入日期: 06-9-2 最近的帖子
Well I knew that, Hitoshi, that's where I found the map... emoticon
thumbnail
Hitoshi Ozawa,修改在12 年前。

RE: Liferay Password Storage

Liferay Legend 帖子: 7942 加入日期: 10-3-24 最近的帖子
Sorry David, mistook your comment. I wanted to make sure he was using GA1. I've check the trunk to make sure it wasn't corrected there.
So this is a critical security bug.
thumbnail
Daniel Kempf,修改在12 年前。

RE: Liferay Password Storage

New Member 帖子: 15 加入日期: 11-4-22 最近的帖子
I have filed a bug report here: http://issues.liferay.com/browse/LPS-25638.

Thank you David and Hitoshi for the support. Still I am wondering why Liferay stores my password information in the session. Is there any way to turn that off? E.g. a switch in portal.properties?

Is it required, that the password is kept in memory? Would this change if I was using JAAS authentication?
thumbnail
Daniel Kempf,修改在12 年前。

RE: Liferay Password Storage (答复)

New Member 帖子: 15 加入日期: 11-4-22 最近的帖子
To conclude this topic, I would like to share a statement that I received from Mika Koivisto:

Tested the attached pdf against latest master branch and the exception is no longer logged.

Plain text password is required to interact with remote repositories. Setting session.store.password property to false in your portal-ext.properties should disable it being stored.
thumbnail
Julio Varela Gómez,修改在11 年前。

RE: Liferay Password Storage

Regular Member 帖子: 130 加入日期: 08-1-14 最近的帖子
same problem but was solved with:
session.store.password = false

What I did was modify the class com.liferay.portal.kernel.messaging;
which is where the error is displayed:

_log.error (
"Unable to process message" + message, mle);

Change to:

message.put (
"principalPassword" "XXXXXXXXXXXXXXXXXXXXXXXXX");
_log.error (
"Unable to process message" + message, mle);

problem solved