Fixes are available
APAR status
Closed as program error.
Error description
If an error happens to occur during login, and the logging level is ERROR, secure details such as the password are logged in the server log file. Here's a sample log that gets generated by WL when an exception occurs: [ERROR ] SRVE0777E: Exception thrown by application class 'com.worklight.core.auth.impl.AuthenticationContext.checkAuthent ication:522' com.worklight.server.auth.api.WorkLightAuthenticationException at com.worklight.core.auth.impl.AuthenticationContext.checkAuthenti cation(AuthenticationContext.java:522) at com.worklight.core.auth.impl.AuthenticationContext.login(Authent icationContext.java:610) at com.worklight.core.auth.impl.AuthenticationServiceBean.login(Aut henticationServiceBean.java:120) at com.worklight.gadgets.serving.handler.LoginOnDemandHandler.doPos t(LoginOnDemandHandler.java:69) at com.worklight.gadgets.serving.GadgetAPIServlet.doGetOrPost(Gadge tAPIServlet.java:140) at com.worklight.gadgets.serving.GadgetAPIServlet.doPost(GadgetAPIS ervlet.java:102) at javax.servlet.http.HttpServlet.service(HttpServlet.java:595) at javax.servlet.http.HttpServlet.service(HttpServlet.java:668) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWr apper.java:1240) at [internal classes] at com.worklight.core.auth.impl.AuthenticationFilter$1.execute(Auth enticationFilter.java:199) at com.worklight.core.auth.impl.AuthenticationServiceBean.accessRes ource(AuthenticationServiceBean.java:76) at com.worklight.core.auth.impl.AuthenticationFilter.doFilter(Authe nticationFilter.java:203) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(Fi lterInstanceWrapper.java:194) at [internal classes] [ERROR ] FWLSE0099E: An error occurred while invoking procedure [project worklight]bosLoginAdapter/verifyCredentialFWLSE0100E: parameters: [project worklight]{ "arr": [ { "credential": "fdde6eefe0b2d035b9a5fd93c4418e75", "lang": "en", "mfaDevicePrint": "...", "mfaDeviceToken": "...", "password": "123456" } ] } The entire payload is being logged when a WL exception occurs. The specific concern is around sensitive fields such as the password. The log should not log the payload of the request.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * Administrators of an IBM Worklight system. * **************************************************************** * PROBLEM DESCRIPTION: * * The full client request payload is logged when an error * * occurs, which may expose private information. * **************************************************************** * RECOMMENDATION: * * - * ****************************************************************
Problem conclusion
The code has been fixed so that known private information (such as passwords) are not logged.
Temporary fix
Comments
APAR Information
APAR number
PI08960
Reported component name
WORKLIGHT CONSU
Reported component ID
5725I4301
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-01-06
Closed date
2014-04-06
Last modified date
2014-04-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WORKLIGHT CONSU
Fixed component ID
5725I4301
Applicable component levels
R600 PSY
UP
R610 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"600","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
13 October 2021