[hibernate-issues] [Hibernate-JIRA] Created: (HHH-5105) NamingHelper writes credential information to the log

[Yiming Du (JIRA)]

NamingHelper writes credential information to the log
-----------------------------------------------------

                 Key: HHH-5105
                 URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-5105
             Project: Hibernate Core
          Issue Type: Improvement
          Components: core
    Affects Versions: 3.2.6
            Reporter: Yiming Du


In certain situations, the class NamingHelper will write credential information to the log.

To be more specific, in the method getInitialContext() of the class org.hibernate.util.NamingHelper, there're following 2 lines 

	Hashtable hash = getJndiProperties(props);
	log.info("JNDI InitialContext properties:" + hash);

This will result in the clear text of the credential information in the conditions that the credential properties are set and the log level is lower than INFO.

In our case, we have to set the "hibernate.jndi.java.naming.security.principal" and "hibernate.jndi.java.naming.security.credentials" properties in order to register the SessionFactory to the JNDI tree on Websphere if Websphere is security enabled (Another thread https://forum.hibernate.org/viewtopic.php?f=1&t=931740&start=0 gives some description about this situation as well).

Although it's harmless to functionalities, it undermines to some degree the overall security. 



-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira