Uploaded image for project: 'Application Server 3  4  5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-3181

LdapExtLoginModule should not log password in TRACE mode

    XMLWordPrintable

    Details

    • Estimated Difficulty:
      Low

      Description

      If you look at the implementation of the method

      private InitialLdapContext constructInitialLdapContext(String dn, Object credential) throws NamingException

      { Properties env = new Properties(); Iterator iter = options.entrySet().iterator(); ... env.setProperty(Context.PROVIDER_URL, providerURL); env.setProperty(Context.SECURITY_PRINCIPAL, dn); env.put(Context.SECURITY_CREDENTIALS, credential); super.log.trace("Logging into LDAP server, env=" + env); return new InitialLdapContext(env, null); }

      The last few lines will unknowingly log the security credentials of the user. This is bad (legally) for corporate users.

      The lines should read as follows:
      =======================================
      env.setProperty(Context.PROVIDER_URL, providerURL);
      env.setProperty(Context.SECURITY_PRINCIPAL, dn);
      super.log.trace("Logging into LDAP server, env=" + env);
      env.put(Context.SECURITY_CREDENTIALS, credential);
      return new InitialLdapContext(env, null);
      ================================================

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  ryan.campbell ryan.campbell (Inactive)
                  Reporter:
                  anil.saldhana Anil Saldanha
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: