Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-1057

BaseComputedIDDataConnectorParser logs secret - should it?

    XMLWordPrintable

    Details

    • Operating System:
      Multiple
    • Servlet Container:
      Jetty 9.3

      Description

      The UKf helpdesk were passed idp-process.log to assist an debugging IdP configuration problem, and I noticed this line close to the ERROR:

      2016-09-29 16:50:17,567 - DEBUG [net.shibboleth.idp.attribute.resolver.spring.dc.impl.BaseComputedIDDataConnectorParser:80] - Data Connector 'myStoredId': Generated Attribute: 'persistentID', sourceAttribute = 'uid', salt (or property): '*** redacted ***'

      From an opsec point of view, I would not expect the salt to be logged. However, from an application development point of view, https://issues.shibboleth.net/jira/browse/IDP-771 and https://issues.shibboleth.net/jira/browse/IDP-982 were both diagnosed specifically because the DEBUG log has the salt in them.

      Not sure what to make of this, so flagging it up here.

        Attachments

          Activity

            People

            Assignee:
            rdw@iay.org.uk Rod Widdowson
            Reporter:
            bufi3fpmwmfb7fsbzob/ylljzbq=@https://idp.jisc.ac.uk/idp/shibboleth bufi3fpmwmfb7fsbzob/ylljzbq=@https://idp.jisc.ac.uk/idp/shibboleth
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 2 hours
                2h
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 15 minutes Time Not Required
                15m