Why the hawtio console exposes user password ?
Issue
- The
"Hawtio"
console in JBoss Fuse 6.1.0 exposes the users password, Can it be avoided ? - The
"Hawtio"
console make the password of currently logged user visible when checking container urls. - Following is the step to reproduce the issue:
- Install a fresh
"jboss-fuse-full-6.1.0.redhat-379.zip"
- Start the Fuse and then create fabric as following:
- Install a fresh
JBossFuse:karaf@root> fabric:create
Waiting for container: root
Using specified zookeeper password:admin
It may take a couple of seconds for the container to provision...
You can use the --wait-for-provisioning option, if you want this command to block until the container is provisioned.
-
Access the hawtio web console and then navigate to the following URL:
http://localhost:8181/hawtio/index.html#/fabric/container/root?tab=URLs -
Check the URL which shows the password in clear text:
git clone -b 1.0 http://admin:admin@aaa.com:8181/git/fabric
Environment
- JBoss Fuse
- 6.1.0
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.