Encrypted password and password in clear text

41 views
Skip to first unread message

tanguay....@gmail.com

unread,
Sep 21, 2020, 9:32:10 AM9/21/20
to H2 Database
Hello,

I'm pretty new with H2 Database so I need some help. 

How can we secure the h2 console password? Security team will not appreciate the password in clear text in the log file.

09-21 09:23:22.495 [http-nio-10003-exec-7] DEBUG o.s.w.f.CommonsRequestLoggingFilter - REQUEST DATA : uri=/actuator/health]
09-21 09:23:25.488 [http-nio-10003-exec-3] DEBUG o.s.w.f.CommonsRequestLoggingFilter - Before request [uri=/h2-console/login.do?jsessionid=798878b1e497b8e24e2326f1bdddd787]
09-21 09:23:26.566 [http-nio-10003-exec-3] DEBUG o.s.w.f.CommonsRequestLoggingFilter - REQUEST DATA : uri=/h2-console/login.do?jsessionid=798878b1e497b8e24e2326f1bdddd787;payload=jsessionid=798878b1e497b8e24e2326f1bdddd787&language=en&setting=Generic+H2+%28Embedded%29&name=Generic+H2+%28Embedded%29&driver=org.h2.Driver&url=jdbc%3Ah2%3Amem%3Atestdb&user=sa&password=fds]

Evgenij Ryazanov

unread,
Sep 22, 2020, 1:04:25 AM9/22/20
to H2 Database
Hello.

Your problem is not related with H2 and is not related with your web server. The problem is in CommonsRequestLoggingFilter from the Spring or in its configuration. Why it logs requests to H2 Console? You need to exclude H2 Console URLs and possibly other unrelated URLs for that filter. H2 Console passes passwords as POST parameters just like the most of other web applications, just don't log them.

From the security perspective you shouldn't use H2 Console launched from third-party libraries. It would be much safer to configure it by yourself in the secure way with appropriate security constraints or at least add additional security constraints. H2 Console needs protection from unauthorized users, especially in old versions of H2. Normally you should create user(s) on your web server (see its documentation for details) and a role, and configure access only to users that have that role:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>H2 Console</web-resource-name>
        <url-pattern>/h2-console</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint> 
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
Reply all
Reply to author
Forward
0 new messages