Uploaded image for project: 'Application Server 3  4  5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-3181

LdapExtLoginModule should not log password in TRACE mode

    XMLWordPrintable

Details

    • Low

    Description

      If you look at the implementation of the method

      private InitialLdapContext constructInitialLdapContext(String dn, Object credential) throws NamingException

      { Properties env = new Properties(); Iterator iter = options.entrySet().iterator(); ... env.setProperty(Context.PROVIDER_URL, providerURL); env.setProperty(Context.SECURITY_PRINCIPAL, dn); env.put(Context.SECURITY_CREDENTIALS, credential); super.log.trace("Logging into LDAP server, env=" + env); return new InitialLdapContext(env, null); }

      The last few lines will unknowingly log the security credentials of the user. This is bad (legally) for corporate users.

      The lines should read as follows:
      =======================================
      env.setProperty(Context.PROVIDER_URL, providerURL);
      env.setProperty(Context.SECURITY_PRINCIPAL, dn);
      super.log.trace("Logging into LDAP server, env=" + env);
      env.put(Context.SECURITY_CREDENTIALS, credential);
      return new InitialLdapContext(env, null);
      ================================================

      Attachments

        Activity

          People

            ryan.campbell_jira ryan.campbell (Inactive)
            anil.saldhana Anil Saldanha (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: