how to configure Weblogic to prevent j_password plain text content in log file?

Question

Is there a way to configure Weblogic to prevent j_password (JAAS) plain text content in log file?

I got the j_password in several files like:

AdminServer/incident/incdir_322/readme.txt
AdminServer/incident/incdir_326/odl_logs1435_i326.txt
AdminServer/logs/access.log

[2013-11-08T16:39:51.000-08:00] [AdminServer] [ERROR] [HTTP-500][WebServer] [host: adc23243] [nwaddr: 10.221.18.101] [ecid:5d85e564-18d9-40da-a581-fa03fc3d8f06-0011f7fb,0] [cs-method: GET] [cs-uri:@ /mypage/faces/main/A1011903588?j_password=mypass&j_username=myuser&_afrRedirect=988723932710064] [bytes: 176] [LOG_FILE: /scratch/user_projects/domains/base_domain/servers/AdminServer/logs/ access.log] GET @ /mypage/faces/main/A1011903588?j_password=mypass&j_username=myuser&_afrRedirect=988723932710064

It may seem a lot of concern, but even server admin shouldn't be able to access secret information just by changing a level log.

score 1 · Answer 1 · answered Mar 02 '14 at 23:22

1

Use POST in the form instead of GET!

answered Mar 02 '14 at 23:22

Amr Gawish

2,015
1
17
29

how to configure Weblogic to prevent j_password plain text content in log file?

1 Answers1