[
https://issues.apache.org/jira/browse/CTAKES-455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181551#comment-16181551
]
Sean Finan commented on CTAKES-455:
-----------------------------------
The display of invalid passwords was added 3 years ago at the request of the
community. However, I completely understand that it is a bad practice.
I am removing the log of the failed password and changing the error message.
> Password shown in clear in logs
> -------------------------------
>
> Key: CTAKES-455
> URL: https://issues.apache.org/jira/browse/CTAKES-455
> Project: cTAKES
> Issue Type: Bug
> Reporter: Alex Zbarcea
> Priority: Minor
> Attachments: no-password-in-logs.CTAKES-455.svn.patch
>
>
> When authentication to UMLS fails, the error shows the passwords used.
> {code}
> $ ./bin/runctakesCVD.sh -desc
> desc/ctakes-clinical-pipeline/desc/analysis_engine/AggregatePlaintextFastUMLSProcessor.xml
> (...)
> 03 Sep 2017 10:35:49 ERROR UmlsUserApprover - UMLS Account at
> https://uts-ws.nlm.nih.gov/restful/isValidUMLSUser is not valid for user
> ###### with ######
> {code}
> Not to log passwords is a security policy enforced in almost all production
> systems (more
> [here|https://security.stackexchange.com/questions/52047/should-i-log-wrong-passwords])
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
