Details
-
Bug
-
Resolution: Done
-
Critical
-
JBossAS-4.0.3 SP1
-
None
-
Low
Description
If you look at the implementation of the method
private InitialLdapContext constructInitialLdapContext(String dn, Object credential) throws NamingException
{ Properties env = new Properties(); Iterator iter = options.entrySet().iterator(); ... env.setProperty(Context.PROVIDER_URL, providerURL); env.setProperty(Context.SECURITY_PRINCIPAL, dn); env.put(Context.SECURITY_CREDENTIALS, credential); super.log.trace("Logging into LDAP server, env=" + env); return new InitialLdapContext(env, null); }The last few lines will unknowingly log the security credentials of the user. This is bad (legally) for corporate users.
The lines should read as follows:
=======================================
env.setProperty(Context.PROVIDER_URL, providerURL);
env.setProperty(Context.SECURITY_PRINCIPAL, dn);
super.log.trace("Logging into LDAP server, env=" + env);
env.put(Context.SECURITY_CREDENTIALS, credential);
return new InitialLdapContext(env, null);
================================================