Spring Security SEC-3201: JdbcTokenStore logs access token - sensitive info leak

Juraj Misur (Migrated from SEC-3201) said:

Using spring-security-oauth2 2.0.8.RELEASE.

JdbcTokenStore logs access token whenever it's not found in database:

try {
<query>
} catch (EmptyResultDataAccessException e) {
  if (LOG.isInfoEnabled()) {
    LOG.info("Failed to find access token for token " + tokenValue);
  }
}

in: - readAuthenticationForRefreshToken - readRefreshToken - readAuthentication - readAccessToken

When user logs in ok, access token is created and then stored, but only after check if it's not in database already (readAccessToken), which obviously fails and - logs the token.

This exposes all tokens from all successfully logged in users immediately in the logs (using default INFO level)

I believe access token is very sensitive information and it should never appear in the logs. Please remove the logging or at least set the level to debug or trace, so that deployment using default settings does not expose this information automatically.

Comment From: rwinch

Closing this because the code exists in spring-security-oauth and not spring-security. It is worth mentioning that it was fixed in https://github.com/spring-attic/spring-security-oauth/commit/fccc0e1e809515ed067a1e723c51c221bdfdf3ea and that the project is now EOL with replacements.