DEBUG [org.apache.http.wire] logs are getting printed in keycloak.log file

[atul-epam]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

account/api

Describe the bug

Following logs are getting printed in keycloak.log file with all request parameters including password.

DEBUG [org.apache.http.wire] (executor-thread-1) http-outgoing-1 >>

Version

23.0.4

Regression

• The issue is a regression

Expected behavior

The above log should not get printed.

Actual behavior

Http logs are getting printed with request parameters

How to Reproduce?

Hit the /protocol/openid-connect/token API with all valid parameters.

Anything else?

No response

[atul-epam]

I already referred jfrog/artifactory-client-java#77 but it's not working for me.

[stianst]

I'm closing this as this is expected behaviour.

~invalid

[keycloak-github-bot]

Thanks for reporting this issue. However, after review this is not considered a valid issue, or has been recently resolved.

As the issue is not valid it will be automatically closed.

[atul-epam]

@stianst I can see PASSWORD in following logs in DEBUB/TRACE mode
org.apache.http.wire, org.hibernate.internal.util.EntityPrinter, org.hibernate.orm.jdbc.extract, org.hibernate.orm.results

This is a security threat. Is this expected behavior?

[sschu]

@atul-epam At this layer, the http framework and Hibernate just log raw data. It is not really feasible to filter raw data for sensitive information (and if it was, it would have to be supported by these frameworks). So this behaviour is expected and you should not enable debug or trace logging for these frameworks in production.