NamingHelper writes credential information to the log ----------------------------------------------------- Key: HHH-5242 URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-5242 Project: Hibernate Core Issue Type: Bug Components: core Affects Versions: 3.2.6 Environment: This should be a general issue across all platform. Reporter: Yiming Du In certain situations, the class NamingHelper will write credential information to the log. To be more specific, in the method getInitialContext() of the class org.hibernate.util.NamingHelper, there're following 2 lines Hashtable hash = getJndiProperties(props); log.info("JNDI InitialContext properties:" + hash); This will result in the clear text of the credential information in the conditions that the credential properties are set and the log level is lower than INFO. In our Websphere scenario, because Websphere is security enabled, we need to set the following properties "hibernate.jndi.java.naming.security.principal" "hibernate.jndi.java.naming.security.credentials" in order to register the SessionFactory to the JNDI tree. (Another thread https://forum.hibernate.org/viewtopic.php?f=1&t=931740&start=0 gives some description about this situation as well). Although it's harmless to functionality, it undermines to some degree the overall security. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.... - For more information on JIRA, see: http://www.atlassian.com/software/jira