PI08960: WL RUNTIME LOGS THE FULL CLIENT REQUEST WHEN AN ERROR HAPPENS

Download for IBM Worklight V6.0.0 Fix Pack 2 and IBM Mobile Foundation V6.0.0 Fix Pack 2
Download for IBM Worklight V6.1.0 Fix Pack 1

APAR status

• Closed as program error.

Error description

• If an error happens to occur during login, and the logging level
  is ERROR, secure details such as the password are logged in the
  server log file.
  Here's a sample log that gets generated by WL when an exception
  occurs:
  [ERROR   ] SRVE0777E: Exception thrown by application class
  'com.worklight.core.auth.impl.AuthenticationContext.checkAuthent
  ication:522'
  com.worklight.server.auth.api.WorkLightAuthenticationException
  at
  com.worklight.core.auth.impl.AuthenticationContext.checkAuthenti
  cation(AuthenticationContext.java:522)
  at
  com.worklight.core.auth.impl.AuthenticationContext.login(Authent
  icationContext.java:610)
  at
  com.worklight.core.auth.impl.AuthenticationServiceBean.login(Aut
  henticationServiceBean.java:120)
  at
  com.worklight.gadgets.serving.handler.LoginOnDemandHandler.doPos
  t(LoginOnDemandHandler.java:69)
  at
  com.worklight.gadgets.serving.GadgetAPIServlet.doGetOrPost(Gadge
  tAPIServlet.java:140)
  at
  com.worklight.gadgets.serving.GadgetAPIServlet.doPost(GadgetAPIS
  ervlet.java:102)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
  at
  com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWr
  apper.java:1240)
  at [internal classes]
  at
  com.worklight.core.auth.impl.AuthenticationFilter$1.execute(Auth
  enticationFilter.java:199)
  at
  com.worklight.core.auth.impl.AuthenticationServiceBean.accessRes
  ource(AuthenticationServiceBean.java:76)
  at
  com.worklight.core.auth.impl.AuthenticationFilter.doFilter(Authe
  nticationFilter.java:203)
  at
  com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(Fi
  lterInstanceWrapper.java:194)
  at [internal classes]
  
  [ERROR   ] FWLSE0099E: An error occurred while invoking
  procedure  [project
  worklight]bosLoginAdapter/verifyCredentialFWLSE0100E:
  parameters: [project worklight]{
     "arr": [
        {
           "credential": "fdde6eefe0b2d035b9a5fd93c4418e75",
           "lang": "en",
           "mfaDevicePrint": "...",
           "mfaDeviceToken": "...",
           "password": "123456"
        }
     ]
  }
  The entire payload is being logged when a WL exception occurs.
  The specific concern is around sensitive fields such as the
  password.
  The log should not log the payload of the request.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * Administrators of an IBM Worklight system.                   *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * The full client request payload is logged when an error      *
  * occurs, which may expose private information.                *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * -                                                            *
  ****************************************************************
  

Problem conclusion

• The code has been fixed so that known private information (such
  as passwords) are not logged.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WORKLIGHT CONSU

• Fixed component ID

  5725I4301

Applicable component levels

• R600 PSY

     UP

• R610 PSY

     UP