[hibernate-issues] [Hibernate-JIRA] Created: (HHH-5242) NamingHelper writes credential information to the log

[Yiming Du (JIRA)]

NamingHelper writes credential information to the log
-----------------------------------------------------

                 Key: HHH-5242
                 URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-5242
             Project: Hibernate Core
          Issue Type: Bug
          Components: core
    Affects Versions: 3.2.6
         Environment: This should be a general issue across all platform.
            Reporter: Yiming Du


In certain situations, the class NamingHelper will write credential information to the log.

To be more specific, in the method getInitialContext() of the class org.hibernate.util.NamingHelper, there're following 2 lines

Hashtable hash = getJndiProperties(props);
log.info("JNDI InitialContext properties:" + hash);

This will result in the clear text of the credential information in the conditions that the credential properties are set and the log level is lower than INFO.

In our Websphere scenario, because Websphere is security enabled, we need to set the following properties
"hibernate.jndi.java.naming.security.principal" 
"hibernate.jndi.java.naming.security.credentials" 

in order to register the SessionFactory to the JNDI tree.  
(Another thread https://forum.hibernate.org/viewtopic.php?f=1&t=931740&start=0 gives some description about this situation as well).

Although it's harmless to functionality, it undermines to some degree the overall security.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira