[hibernate-issues] [Hibernate-JIRA] Created: (HHH-5242) NamingHelper writes credential information to the log
Yiming Du (JIRA)
noreply at atlassian.com
Thu May 20 10:32:11 EDT 2010
NamingHelper writes credential information to the log
-----------------------------------------------------
Key: HHH-5242
URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-5242
Project: Hibernate Core
Issue Type: Bug
Components: core
Affects Versions: 3.2.6
Environment: This should be a general issue across all platform.
Reporter: Yiming Du
In certain situations, the class NamingHelper will write credential information to the log.
To be more specific, in the method getInitialContext() of the class org.hibernate.util.NamingHelper, there're following 2 lines
Hashtable hash = getJndiProperties(props);
log.info("JNDI InitialContext properties:" + hash);
This will result in the clear text of the credential information in the conditions that the credential properties are set and the log level is lower than INFO.
In our Websphere scenario, because Websphere is security enabled, we need to set the following properties
"hibernate.jndi.java.naming.security.principal"
"hibernate.jndi.java.naming.security.credentials"
in order to register the SessionFactory to the JNDI tree.
(Another thread https://forum.hibernate.org/viewtopic.php?f=1&t=931740&start=0 gives some description about this situation as well).
Although it's harmless to functionality, it undermines to some degree the overall security.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the hibernate-issues
mailing list