Uploaded image for project: 'Application Server 3  4  5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-3181

LdapExtLoginModule should not log password in TRACE mode

    XMLWordPrintable

    Details

    • Estimated Difficulty:
      Low

      Description

      If you look at the implementation of the method

      private InitialLdapContext constructInitialLdapContext(String dn, Object credential) throws NamingException

      { Properties env = new Properties(); Iterator iter = options.entrySet().iterator(); ... env.setProperty(Context.PROVIDER_URL, providerURL); env.setProperty(Context.SECURITY_PRINCIPAL, dn); env.put(Context.SECURITY_CREDENTIALS, credential); super.log.trace("Logging into LDAP server, env=" + env); return new InitialLdapContext(env, null); }

      The last few lines will unknowingly log the security credentials of the user. This is bad (legally) for corporate users.

      The lines should read as follows:
      =======================================
      env.setProperty(Context.PROVIDER_URL, providerURL);
      env.setProperty(Context.SECURITY_PRINCIPAL, dn);
      super.log.trace("Logging into LDAP server, env=" + env);
      env.put(Context.SECURITY_CREDENTIALS, credential);
      return new InitialLdapContext(env, null);
      ================================================

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ryan.campbell ryan.campbell (Inactive)
              Reporter:
              anil.saldhana Anil Saldanha (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: