[jboss-cvs] Picketbox SVN: r462 - in trunk: security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi and 3 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Oct 21 16:15:46 EDT 2013
Author: sguilhen at redhat.com
Date: 2013-10-21 16:15:46 -0400 (Mon, 21 Oct 2013)
New Revision: 462
Modified:
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/callback/LdapCallbackHandler.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapLoginModule.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapUsersLoginModule.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/attribute/LdapAttributeMappingProvider.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/role/LdapRolesMappingProvider.java
trunk/security-spi/common/common-spi.iml
Log:
SECURITY-753 Mask credentials when logging the LDAP connection environment
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/callback/LdapCallbackHandler.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/callback/LdapCallbackHandler.java 2013-10-08 21:08:51 UTC (rev 461)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/callback/LdapCallbackHandler.java 2013-10-21 20:15:46 UTC (rev 462)
@@ -408,7 +408,7 @@
env.setProperty(Context.SECURITY_PRINCIPAL, dn);
if (credential != null)
env.put(Context.SECURITY_CREDENTIALS, credential);
- PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(env);
+ this.traceLDAPEnv(env);
return new InitialLdapContext(env, null);
}
@@ -470,6 +470,24 @@
return userDN;
}
+ /**
+ * <p>
+ * Logs the specified LDAP env, masking security-sensitive information (passwords).
+ * </p>
+ *
+ * @param env the LDAP env to be logged.
+ */
+ private void traceLDAPEnv(Properties env)
+ {
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ if (tmp.containsKey(Context.SECURITY_CREDENTIALS))
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "******");
+ if (tmp.containsKey(BIND_CREDENTIAL))
+ tmp.setProperty(BIND_CREDENTIAL, "******");
+ PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(tmp);
+ }
+
@SuppressWarnings("rawtypes")
protected void safeClose(NamingEnumeration results)
{
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java 2013-10-08 21:08:51 UTC (rev 461)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java 2013-10-21 20:15:46 UTC (rev 462)
@@ -792,11 +792,29 @@
env.setProperty(Context.SECURITY_PRINCIPAL, dn);
if (credential != null)
env.put(Context.SECURITY_CREDENTIALS, credential);
- PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(env);
+ this.traceLDAPEnv(env);
return new InitialLdapContext(env, null);
}
- //JBAS-3438 : Handle "/" correctly
+ /**
+ * <p>
+ * Logs the specified LDAP env, masking security-sensitive information (passwords).
+ * </p>
+ *
+ * @param env the LDAP env to be logged.
+ */
+ private void traceLDAPEnv(Properties env)
+ {
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ if (tmp.containsKey(Context.SECURITY_CREDENTIALS))
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "******");
+ if (tmp.containsKey(BIND_CREDENTIAL))
+ tmp.setProperty(BIND_CREDENTIAL, "******");
+ PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(tmp);
+ }
+
+ //JBAS-3438 : Handle "/" correctly
private String canonicalize(String searchResult)
{
String result = searchResult;
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapLoginModule.java 2013-10-08 21:08:51 UTC (rev 461)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapLoginModule.java 2013-10-21 20:15:46 UTC (rev 462)
@@ -185,7 +185,8 @@
private static final String SEARCH_SCOPE_OPT = "searchScope";
private static final String SECURITY_DOMAIN_OPT = "jaasSecurityDomain";
private static final String ALLOW_EMPTY_PASSWORDS = "allowEmptyPasswords";
-
+ private static final String BIND_CREDENTIAL = "bindCredential";
+
private static final String[] ALL_VALID_OPTIONS =
{
PRINCIPAL_DN_PREFIX_OPT,
@@ -351,7 +352,7 @@
env.setProperty(Context.SECURITY_PRINCIPAL, userDN);
env.put(Context.SECURITY_CREDENTIALS, credential);
- PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(env);
+ this.traceLDAPEnv(env);
InitialLdapContext ctx = null;
ClassLoader currentTCCL = SecurityActions.getContextClassLoader();
@@ -544,4 +545,23 @@
}
}
}
+
+ /**
+ * <p>
+ * Logs the specified LDAP env, masking security-sensitive information (passwords).
+ * </p>
+ *
+ * @param env the LDAP env to be logged.
+ */
+ private void traceLDAPEnv(Properties env)
+ {
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ if (tmp.containsKey(Context.SECURITY_CREDENTIALS))
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "******");
+ if (tmp.containsKey(BIND_CREDENTIAL))
+ tmp.setProperty(BIND_CREDENTIAL, "******");
+ PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(tmp);
+ }
+
}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapUsersLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapUsersLoginModule.java 2013-10-08 21:08:51 UTC (rev 461)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapUsersLoginModule.java 2013-10-21 20:15:46 UTC (rev 462)
@@ -278,7 +278,7 @@
env.setProperty(Context.SECURITY_PRINCIPAL, dn);
if (credential != null)
env.put(Context.SECURITY_CREDENTIALS, credential);
- PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(env);
+ this.traceLDAPEnv(env);
return new InitialLdapContext(env, null);
}
@@ -329,4 +329,23 @@
return userDN;
}
+
+ /**
+ * <p>
+ * Logs the specified LDAP env, masking security-sensitive information (passwords).
+ * </p>
+ *
+ * @param env the LDAP env to be logged.
+ */
+ private void traceLDAPEnv(Properties env)
+ {
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ if (tmp.containsKey(Context.SECURITY_CREDENTIALS))
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "******");
+ if (tmp.containsKey(BIND_CREDENTIAL))
+ tmp.setProperty(BIND_CREDENTIAL, "******");
+ PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(tmp);
+ }
+
}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/attribute/LdapAttributeMappingProvider.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/attribute/LdapAttributeMappingProvider.java 2013-10-08 21:08:51 UTC (rev 461)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/attribute/LdapAttributeMappingProvider.java 2013-10-21 20:15:46 UTC (rev 462)
@@ -316,12 +316,30 @@
env.setProperty(Context.SECURITY_PRINCIPAL, dn);
if (credential != null)
env.put(Context.SECURITY_CREDENTIALS, credential);
- PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(env);
+ this.traceLDAPEnv(env);
return new InitialLdapContext(env, null);
}
-
- private String[] getNeededAttributes(String commaSeparatedList)
+
+ /**
+ * <p>
+ * Logs the specified LDAP env, masking security-sensitive information (passwords).
+ * </p>
+ *
+ * @param env the LDAP env to be logged.
+ */
+ private void traceLDAPEnv(Properties env)
{
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ if (tmp.containsKey(Context.SECURITY_CREDENTIALS))
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "******");
+ if (tmp.containsKey(BIND_CREDENTIAL))
+ tmp.setProperty(BIND_CREDENTIAL, "******");
+ PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(tmp);
+ }
+
+ private String[] getNeededAttributes(String commaSeparatedList)
+ {
ArrayList<String> arrayList = new ArrayList<String>();
if (commaSeparatedList != null)
{
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/role/LdapRolesMappingProvider.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/role/LdapRolesMappingProvider.java 2013-10-08 21:08:51 UTC (rev 461)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/role/LdapRolesMappingProvider.java 2013-10-21 20:15:46 UTC (rev 462)
@@ -260,7 +260,7 @@
env.setProperty(Context.SECURITY_PRINCIPAL, dn);
if (credential != null)
env.put(Context.SECURITY_CREDENTIALS, credential);
- PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(env);
+ this.traceLDAPEnv(env);
return new InitialLdapContext(env, null);
}
@@ -384,4 +384,22 @@
}
}
+ /**
+ * <p>
+ * Logs the specified LDAP env, masking security-sensitive information (passwords).
+ * </p>
+ *
+ * @param env the LDAP env to be logged.
+ */
+ private void traceLDAPEnv(Properties env)
+ {
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ if (tmp.containsKey(Context.SECURITY_CREDENTIALS))
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "******");
+ if (tmp.containsKey(BIND_CREDENTIAL))
+ tmp.setProperty(BIND_CREDENTIAL, "******");
+ PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(tmp);
+ }
+
}
Modified: trunk/security-spi/common/common-spi.iml
===================================================================
--- trunk/security-spi/common/common-spi.iml 2013-10-08 21:08:51 UTC (rev 461)
+++ trunk/security-spi/common/common-spi.iml 2013-10-21 20:15:46 UTC (rev 462)
@@ -6,10 +6,8 @@
<content url="file://$MODULE_DIR$">
<sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
<sourceFolder url="file://$MODULE_DIR$/src/test/java" isTestSource="true" />
- <sourceFolder url="file://$MODULE_DIR$/target/generated-sources/annotations" isTestSource="false" />
<excludeFolder url="file://$MODULE_DIR$/../common-spi/target" />
- <excludeFolder url="file://$MODULE_DIR$/target/classes" />
- <excludeFolder url="file://$MODULE_DIR$/target/maven-archiver" />
+ <excludeFolder url="file://$MODULE_DIR$/target" />
</content>
<orderEntry type="inheritedJdk" />
<orderEntry type="sourceFolder" forTests="false" />
More information about the jboss-cvs-commits
mailing list