有没有办法配置 Weblogic 以防止日志文件中出现 j_password (JAAS) 纯文本内容?
我在几个文件中获得了 j_password,例如:
- AdminServer/incident/incdir_322/readme.txt
- AdminServer/incident/incdir_326/odl_logs1435_i326.txt
- AdminServer/logs/access.log
[2013-11-08T16:39:51.000-08:00] [AdminServer] [ERROR] [HTTP-500][WebServer] [host: adc23243] [nwaddr: 10.221.18.101] [ecid:5d85e564-18d9-40da- a581-fa03fc3d8f06-0011f7fb,0] [cs-method: GET] [cs-uri:@ /mypage/faces/main/A1011903588? j_password=mypass&j_username=myuser &_afrRedirect=988723932710064] [bytes: 176] [LOG_FILE: /scratch/user_projects/domains/base_domain/servers/AdminServer/logs/access.log] GET @ /mypage/faces/main/A1011903588? j_password=mypass&j_username=myuser &_afrRedirect=988723932710064
这似乎很令人担忧,但即使是服务器管理员也不应该仅仅通过更改级别日志来访问机密信息。