CAS 6.3 logging sensitive information

275 views
Skip to first unread message

Baron Fujimoto

unread,
Jul 2, 2021, 10:41:47 PM7/2/21
to CAS Community
When our CAS starts up, it warns:
WARN [org.springframework.security.config.annotation.web.builders.WebSecurity] - <
********************************************************************
**********        Security debugging is enabled.       *************
**********    This may include sensitive information.  *************
**********      Do not use in a production system!     *************
********************************************************************
>

And I find log entries such as the following where the password is logged in plaintext:
DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Issuing ticket-granting tickets for service [AbstractWebApplicationService(id=https://www.example.com/app, originalUrl=https://www.example.com/app, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={execution=[...], password=[PASSWORD], _eventId=[submit], username=[USERNAME], geolocation=[]})]>

I assume this is the result of the following in log4j2.xml?

        <Property name="cas.log.level">debug</Property>
        ...
        <AsyncLogger name="org.apereo.cas.web.flow" level="${sys:cas.log.level}" includeLocation="true"/>

For hosts where we do want detailed debug-level logs (but do not want to reveal passwords) can this be mitigated via a cas property to redact the passwords? Or should it be handled via logging conf something like this?

        <Property name="cas.log.level">debug</Property>
        <Property name="cas.log.level.sensitive">info</Property>
        ...
        <AsyncLogger name="org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver" level="${sys:cas.log.level.sensitive}" includeLocation="true"/>
        <AsyncLogger name="org.apereo.cas.web.flow" level="${sys:cas.log.level}" includeLocation="true"/>

If this is the correct approach, is this sufficient to eliminate the log entries containing plaintext passwords, or are there additional classes(?) we need to worry about as well? Does the order of the AsyncLogger entries matter?

--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

Ray Bon

unread,
Jul 5, 2021, 2:02:10 PM7/5/21
to cas-...@apereo.org
Baron,

The order of the loggers does not matter, just specificity. You might want to include additivity so nothing bubbles up to more general loggers.

        <AsyncLogger name="specific.reference.to.Class" level="trace" additivity="false">
<AppenderRef ref="sensitiveloggerfile" />
</AsyncLogger>

You will have to keep an eye on your log output to track sensitive details. Perhaps a test user with a distinctive password that could be searched with a cron script. Searching cas code base for 'password' may be to general and would not catch printing of collections.

Ray

On Fri, 2021-07-02 at 16:41 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Andy Ng

unread,
Jul 5, 2021, 9:41:34 PM7/5/21
to CAS Community, Ray Bon

Hi Baron,

Ray suggestion is good.

Another way might work is to add this logging property in your host: 

In your case would be something like this:
logging.level.org.apereo.cas.web.flow=INFO

Which should be able to disable the Spring warning per host.

Cheers!
- Andy

Baron Fujimoto

unread,
Jul 6, 2021, 12:56:57 PM7/6/21
to CAS Community, Ray Bon
If logging levels are configured via properties, wouldn't such changes only be picked up when CAS is restarted, or did I miss something to have cas reload its cas.properties? We are running CAS instances with standalone configurations via the cas.properties file. If configured via log4j2.xml, it should poll for changes based on the monitorInterval attribute?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/73ad3efd-c7f4-4b36-b89f-94a4824e63a7n%40apereo.org.

Baron Fujimoto

unread,
Jul 6, 2021, 1:10:22 PM7/6/21
to CAS Community
Thank you for the info on the ordering of entries and suggestion to use additivity="false".

It's somewhat concerning that there doesn't seem to be a way to confidently ensure that plaintext passwords won't be logged. While I could see using a canary/tripwire password value as an alarm of last resort, by the time it was detected, damage would have been done. In the wrong environment, this could result in required mitigation and remediation work.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1ef4d709940b6ab6a388df1e282b710dd510d82c.camel%40uvic.ca.
Reply all
Reply to author
Forward
0 new messages