NamingHelper writes credential information to the log ----------------------------------------------------- Key: HHH-5105 URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-5105 Project: Hibernate Core Issue Type: Improvement Components: core Affects Versions: 3.2.6 Reporter: Yiming Du In certain situations, the class NamingHelper will write credential information to the log. To be more specific, in the method getInitialContext() of the class org.hibernate.util.NamingHelper, there're following 2 lines Hashtable hash = getJndiProperties(props); log.info("JNDI InitialContext properties:" + hash); This will result in the clear text of the credential information in the conditions that the credential properties are set and the log level is lower than INFO. In our case, we have to set the "hibernate.jndi.java.naming.security.principal" and "hibernate.jndi.java.naming.security.credentials" properties in order to register the SessionFactory to the JNDI tree on Websphere if Websphere is security enabled (Another thread https://forum.hibernate.org/viewtopic.php?f=1&t=931740&start=0 gives some description about this situation as well). Although it's harmless to functionalities, it undermines to some degree the overall security. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.... - For more information on JIRA, see: http://www.atlassian.com/software/jira