Uploaded image for project: 'JBoss AS Patches'
  1. JBoss AS Patches
  2. ASPATCH-15

JBAS-3181: LdapExtLoginModule should not log password in TRACE mode

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

    XMLWordPrintable

Details

    • Support Patch
    • Status: Closed
    • Major
    • Resolution: Done
    • JBossAS-4.0.3 SP1
    • JBossAS-4.0.3.SP1_CP01
    • None

    Description

      If you look at the implementation of the method

      private InitialLdapContext constructInitialLdapContext(String dn, Object credential) throws NamingException

      { Properties env = new Properties(); Iterator iter = options.entrySet().iterator(); ... env.setProperty(Context.PROVIDER_URL, providerURL); env.setProperty(Context.SECURITY_PRINCIPAL, dn); env.put(Context.SECURITY_CREDENTIALS, credential); super.log.trace("Logging into LDAP server, env=" + env); return new InitialLdapContext(env, null); }

      The last few lines will unknowingly log the security credentials of the user. This is bad (legally) for corporate users.

      The lines should read as follows:
      =======================================
      env.setProperty(Context.PROVIDER_URL, providerURL);
      env.setProperty(Context.SECURITY_PRINCIPAL, dn);
      super.log.trace("Logging into LDAP server, env=" + env);
      env.put(Context.SECURITY_CREDENTIALS, credential);
      return new InitialLdapContext(env, null);
      ================================================

      Please see JBAS-3181 for details.

      Attachments

        Issue Links

          Activity

            People

              ryan.campbell_jira ryan.campbell (Inactive)
              ryan.campbell_jira ryan.campbell (Inactive)
              Archiver:
              samahaja@redhat.com Sagar Mahajan

              Dates

                Created:
                Updated:
                Resolved:
                Archived: