[GeoNetwork-devel] username and password displayed in log file

Greg_Coleman · February 16, 2007, 3:32am

Hello List,

I am running geonetwork inside tomcat. When a user logs in, the username and password is displayed in the log. How can I prevent this?

Regards

Greg Coleman.

------------------------------------------------------------------------
 The information contained in this communication is  for the use of the 
 individual  or  entity  to  whom  it  is  addressed, and  may  contain 
 information which is the  subject of legal privilege and/or copyright. 
 If you have received this  communication in  error, please  notify the 
 sender by return E-Mail and delete the transmission, together with any 
 attachments, from your system. Thank you.
-------------------------------------------------------------------------

Greg_Byrom · February 16, 2007, 10:12am

I'd also like to know if it's possible to use some kind of hashing of
the database username and password in the config.xml file. Also,
usernames and passwords for GN are stored as clear text in the database.

Clearly GN still has some security risks to be resolved and I'm sure
these will be tackled in time, but it would be worth adding them to an
issues log.

Sorry I'm no help...

Greg Byrom

________________________________

From: geonetwork-devel-bounces@lists.sourceforge.net
[mailto:geonetwork-devel-bounces@lists.sourceforge.net] On Behalf Of
Greg Coleman
Sent: 16 February 2007 03:33
To: geonetwork-devel@lists.sourceforge.net
Subject: [GeoNetwork-devel] username and password displayed in log file

Hello List,

I am running geonetwork inside tomcat. When a user logs in,
the username and password is displayed in the log. How can I prevent
this?

Regards

Greg Coleman.

------------------------------------------------------------------------
The information contained in this communication is for the use of the
individual or entity to whom it is addressed, and may contain
information which is the subject of legal privilege and/or copyright.
If you have received this communication in error, please notify the
sender by return E-Mail and delete the transmission, together with any
attachments, from your system. Thank you.
------------------------------------------------------------------------
-

.

This email is only intended for the person to whom it is addressed and may contain confidential information. If you have received this email in error, please notify the sender and delete this email which must not be copied, distributed or disclosed to any other person.

Unless stated otherwise, the contents of this email are personal to the writer and do not represent the official view of Ordnance Survey. Nor can any contract be formed on Ordnance Survey's behalf via email. We reserve the right to monitor emails and attachments without prior notice.

Thank you for your cooperation.

Ordnance Survey
Romsey Road
Southampton SO16 4GU
Tel: 08456 050505
http://www.ordnancesurvey.co.uk

Andrea_Carboni1 · February 16, 2007, 11:13am

Under geonetwork 2.1 you can edit the file web/WEB-INF/log4j.cfg and
change the line:

log4j.logger.jeeves = DEBUG, jeeves, console

into:

log4j.logger.jeeves = INFO, jeeves, console

this will prevent the service parameters from being logged.

Cheers,
Andrea

Hello List,

I am running geonetwork inside tomcat. When a user logs in,
the username and password is displayed in the log. How can I prevent
this?

Regards

Greg Coleman.

------------------------------------------------------------------------
The information contained in this communication is for the use of the
individual or entity to whom it is addressed, and may contain
information which is the subject of legal privilege and/or copyright.
If you have received this communication in error, please notify the
sender by return E-Mail and delete the transmission, together with any
attachments, from your system. Thank you.
-------------------------------------------------------------------------

Greg_Coleman · March 15, 2007, 2:52am

Is there a way to do this in version 2.0.2 ?

-----Original Message-----
From: geonetwork-devel-bounces@lists.sourceforge.net
[mailto:geonetwork-devel-bounces@lists.sourceforge.net] On Behalf Of
Andrea Carboni
Sent: Friday, 16 February 2007 21:13 PM
To: geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] username and password displayed in log
file

Under geonetwork 2.1 you can edit the file web/WEB-INF/log4j.cfg and
change the line:

log4j.logger.jeeves = DEBUG, jeeves, console

into:

log4j.logger.jeeves = INFO, jeeves, console

this will prevent the service parameters from being logged.

Cheers,
Andrea

Hello List,

I am running geonetwork inside tomcat. When a user logs

in,

the username and password is displayed in the log. How can I prevent
this?

Regards

Greg Coleman.

------------------------------------------------------------------------

The information contained in this communication is for the use of

the

individual or entity to whom it is addressed, and may

contain

information which is the subject of legal privilege and/or

copyright.

If you have received this communication in error, please notify

the

sender by return E-Mail and delete the transmission, together with

any

attachments, from your system. Thank you.

------------------------------------------------------------------------
-

------------------------------------------------------------------------
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share
your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
V
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork

------------------------------------------------------------------------
The information contained in this communication is for the use of the
individual or entity to whom it is addressed, and may contain
information which is the subject of legal privilege and/or copyright.
If you have received this communication in error, please notify the
sender by return E-Mail and delete the transmission, together with any
attachments, from your system. Thank you.
-------------------------------------------------------------------------

Andrea_Carboni1 · March 15, 2007, 11:25am

Hi Greg,

I don't remember quite well but try to put <debug> to 'false' in the
config.xml file.

Cheers,
Andrea

Is there a way to do this in version 2.0.2 ?

-----Original Message-----
From: geonetwork-devel-bounces@lists.sourceforge.net
[mailto:geonetwork-devel-bounces@lists.sourceforge.net] On Behalf Of
Andrea Carboni
Sent: Friday, 16 February 2007 21:13 PM
To: geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] username and password displayed in log
file

Under geonetwork 2.1 you can edit the file web/WEB-INF/log4j.cfg and
change the line:

log4j.logger.jeeves = DEBUG, jeeves, console

into:

log4j.logger.jeeves = INFO, jeeves, console

this will prevent the service parameters from being logged.

Cheers,
Andrea

> Hello List,
>
> I am running geonetwork inside tomcat. When a user logs
in,
> the username and password is displayed in the log. How can I prevent
> this?
>
>
>
> Regards
>
>
>
> Greg Coleman.
>
>
>
>
------------------------------------------------------------------------
> The information contained in this communication is for the use of
the
> individual or entity to whom it is addressed, and may
contain
> information which is the subject of legal privilege and/or
copyright.
> If you have received this communication in error, please notify
the
> sender by return E-Mail and delete the transmission, together with
any
> attachments, from your system. Thank you.
>
------------------------------------------------------------------------
-
>
>

------------------------------------------------------------------------
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share
your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
V
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork

------------------------------------------------------------------------
The information contained in this communication is for the use of the
individual or entity to whom it is addressed, and may contain
information which is the subject of legal privilege and/or copyright.
If you have received this communication in error, please notify the
sender by return E-Mail and delete the transmission, together with any
attachments, from your system. Thank you.
-------------------------------------------------------------------------

Walter_Barbera · March 19, 2007, 12:49pm

Hi,

I was wondering if there is any way to identify the elements within the GN
catalogue. I need to link these elements from external locations and so far
I´ve seen that I could use dc:identifier and mdFileId. These "solution"
doesnt seem to be the best and maybe there is an internal GN identifier
that I could use instead.

Thanks in advance,

Walter.

Greg_Coleman · May 15, 2007, 6:24am

Hi Andrea,
Sorry to keep harping on this so sporadically.
I tried what you suggested but it does not work. We cannot stop
the password from logging in version 2.0.2.

So we want to use version 2.1 but is it stable?
Which version would you suggest alpha1, alpha2 or beta?

Cheers

Greg.

-----Original Message-----
From: geonetwork-devel-bounces@lists.sourceforge.net
[mailto:geonetwork-devel-bounces@lists.sourceforge.net] On Behalf Of
Andrea Carboni
Sent: Thursday, 15 March 2007 21:25 PM
To: geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] username and password displayed in log
file

Hi Greg,

I don't remember quite well but try to put <debug> to 'false' in the
config.xml file.

Cheers,
Andrea

Is there a way to do this in version 2.0.2 ?

-----Original Message-----
From: geonetwork-devel-bounces@lists.sourceforge.net
[mailto:geonetwork-devel-bounces@lists.sourceforge.net] On Behalf Of
Andrea Carboni
Sent: Friday, 16 February 2007 21:13 PM
To: geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] username and password displayed in log
file

Under geonetwork 2.1 you can edit the file web/WEB-INF/log4j.cfg and
change the line:

log4j.logger.jeeves = DEBUG, jeeves, console

into:

log4j.logger.jeeves = INFO, jeeves, console

this will prevent the service parameters from being logged.

Cheers,
Andrea

> Hello List,
>
> I am running geonetwork inside tomcat. When a user logs
in,
> the username and password is displayed in the log. How can I prevent
> this?
>
>
>
> Regards
>
>
>
> Greg Coleman.
>
>
>
>

------------------------------------------------------------------------

> The information contained in this communication is for the use of
the
> individual or entity to whom it is addressed, and may
contain
> information which is the subject of legal privilege and/or
copyright.
> If you have received this communication in error, please notify
the
> sender by return E-Mail and delete the transmission, together with
any
> attachments, from your system. Thank you.
>

------------------------------------------------------------------------

-
>
>

------------------------------------------------------------------------

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to

share

your
opinions on IT & business topics through brief surveys-and earn cash

http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE

V
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork

------------------------------------------------------------------------

The information contained in this communication is for the use of

the

individual or entity to whom it is addressed, and may

contain

information which is the subject of legal privilege and/or

copyright.

If you have received this communication in error, please notify

the

sender by return E-Mail and delete the transmission, together with

any

attachments, from your system. Thank you.

------------------------------------------------------------------------
-

------------------------------------------------------------------------
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share
your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
V
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork

------------------------------------------------------------------------
The information contained in this communication is for the use of the
individual or entity to whom it is addressed, and may contain
information which is the subject of legal privilege and/or copyright.
If you have received this communication in error, please notify the
sender by return E-Mail and delete the transmission, together with any
attachments, from your system. Thank you.
-------------------------------------------------------------------------

ticheler · May 15, 2007, 8:07am

Hi Greg,
A next beta release will be out in about a week. Andrea will add encryption of the passwords in the database and that should be available in the final release.
The beta's are not stable yet.
Ciao,
Jeroen

On 15 May 2007, at 8:24 AM, Greg Coleman wrote:

Hi Andrea,
  Sorry to keep harping on this so sporadically.
  I tried what you suggested but it does not work. We cannot stop
the password from logging in version 2.0.2.

  So we want to use version 2.1 but is it stable?
  Which version would you suggest alpha1, alpha2 or beta?

Cheers

Greg.

-----Original Message-----
From: geonetwork-devel-bounces@lists.sourceforge.net
[mailto:geonetwork-devel-bounces@lists.sourceforge.net] On Behalf Of
Andrea Carboni
Sent: Thursday, 15 March 2007 21:25 PM
To: geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] username and password displayed in log
file

Hi Greg,

I don't remember quite well but try to put <debug> to 'false' in the
config.xml file.

Cheers,
Andrea

Is there a way to do this in version 2.0.2 ?

-----Original Message-----
From: geonetwork-devel-bounces@lists.sourceforge.net
[mailto:geonetwork-devel-bounces@lists.sourceforge.net] On Behalf Of
Andrea Carboni
Sent: Friday, 16 February 2007 21:13 PM
To: geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] username and password displayed in log
file

Under geonetwork 2.1 you can edit the file web/WEB-INF/log4j.cfg and
change the line:

log4j.logger.jeeves = DEBUG, jeeves, console

into:

log4j.logger.jeeves = INFO, jeeves, console

this will prevent the service parameters from being logged.

Cheers,
Andrea

Hello List,

            I am running geonetwork inside tomcat. When a user logs

in,

the username and password is displayed in the log. How can I prevent
this?

Regards

Greg Coleman.

------------------------------------------------------------------------

The information contained in this communication is for the use of

the

individual or entity to whom it is addressed, and may

contain

information which is the subject of legal privilege and/or

copyright.

If you have received this communication in error, please notify

the

sender by return E-Mail and delete the transmission, together with

any

attachments, from your system. Thank you.

------------------------------------------------------------------------

-

------------------------------------------------------------------------

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to

share

your
opinions on IT & business topics through brief surveys-and earn cash

http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE

V
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork

------------------------------------------------------------------------

The information contained in this communication is for the use of

the

individual or entity to whom it is addressed, and may

contain

information which is the subject of legal privilege and/or

copyright.

If you have received this communication in error, please notify

the

sender by return E-Mail and delete the transmission, together with

any

attachments, from your system. Thank you.

------------------------------------------------------------------------
-

------------------------------------------------------------------------
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share
your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
V
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork

------------------------------------------------------------------------
The information contained in this communication is for the use of the
individual or entity to whom it is addressed, and may contain
information which is the subject of legal privilege and/or copyright.
If you have received this communication in error, please notify the
sender by return E-Mail and delete the transmission, together with any
attachments, from your system. Thank you.
-------------------------------------------------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork