Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13890

Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext

    Details

    • Sprint:
      AM Sustaining Sprint 57, AM Sustaining Sprint 73
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      During installation, AM logs the "demo" user password (AMLDAPUSERPASSWD) in ~/openam/install.log in plaintext. It does this even when an external user store is configured.

      How to reproduce the issue

      1. Install AM (with or without an external user store)
      2. Search ~/openam/install.log for AMLDAPUSERPASSWD
      Expected behaviour
      Using embedded user store, AMLDAPUSERPASSWD should not be logged in plaintext. When using an external user store, AMLDAPUSERPASSWD shouldn't be logged at all.
      Current behaviour
      AMLDAPUSERPASSWD is always logged and in plaintext
      

      Work around

      None

       

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              aaron.haskins Aaron Haskins
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: