[jboss-cvs] Picketbox SVN: r472 - in branches/eap62: security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/callback and 3 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Oct 23 12:34:28 EDT 2013
Author: pskopek at redhat.com
Date: 2013-10-23 12:34:28 -0400 (Wed, 23 Oct 2013)
New Revision: 472
Modified:
branches/eap62/
branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/callback/LdapCallbackHandler.java
branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java
branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapLoginModule.java
branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapUsersLoginModule.java
branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/attribute/LdapAttributeMappingProvider.java
branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/role/LdapRolesMappingProvider.java
Log:
SECURITY-753 Mask credentials when logging the LDAP connection environment
Property changes on: branches/eap62
___________________________________________________________________
Modified: svn:mergeinfo
- /branches/4.0.16.Final_BZ_901138:413
/branches/embargo/4.0.14.Final-JBPAPP6-1704:377
/branches/embargo/4.0.16.Final-vault:408-449
/tags/4.0.16.Final:393-407
/trunk:458
+ /branches/4.0.16.Final_BZ_901138:413
/branches/embargo/4.0.14.Final-JBPAPP6-1704:377
/branches/embargo/4.0.16.Final-vault:408-449
/tags/4.0.16.Final:393-407
/trunk:458,462
Modified: branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/callback/LdapCallbackHandler.java
===================================================================
--- branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/callback/LdapCallbackHandler.java 2013-10-23 16:28:18 UTC (rev 471)
+++ branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/callback/LdapCallbackHandler.java 2013-10-23 16:34:28 UTC (rev 472)
@@ -408,7 +408,7 @@
env.setProperty(Context.SECURITY_PRINCIPAL, dn);
if (credential != null)
env.put(Context.SECURITY_CREDENTIALS, credential);
- PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(env);
+ this.traceLDAPEnv(env);
return new InitialLdapContext(env, null);
}
@@ -470,6 +470,24 @@
return userDN;
}
+ /**
+ * <p>
+ * Logs the specified LDAP env, masking security-sensitive information (passwords).
+ * </p>
+ *
+ * @param env the LDAP env to be logged.
+ */
+ private void traceLDAPEnv(Properties env)
+ {
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ if (tmp.containsKey(Context.SECURITY_CREDENTIALS))
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "******");
+ if (tmp.containsKey(BIND_CREDENTIAL))
+ tmp.setProperty(BIND_CREDENTIAL, "******");
+ PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(tmp);
+ }
+
@SuppressWarnings("rawtypes")
protected void safeClose(NamingEnumeration results)
{
Modified: branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java
===================================================================
--- branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java 2013-10-23 16:28:18 UTC (rev 471)
+++ branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java 2013-10-23 16:34:28 UTC (rev 472)
@@ -792,11 +792,29 @@
env.setProperty(Context.SECURITY_PRINCIPAL, dn);
if (credential != null)
env.put(Context.SECURITY_CREDENTIALS, credential);
- PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(env);
+ this.traceLDAPEnv(env);
return new InitialLdapContext(env, null);
}
- //JBAS-3438 : Handle "/" correctly
+ /**
+ * <p>
+ * Logs the specified LDAP env, masking security-sensitive information (passwords).
+ * </p>
+ *
+ * @param env the LDAP env to be logged.
+ */
+ private void traceLDAPEnv(Properties env)
+ {
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ if (tmp.containsKey(Context.SECURITY_CREDENTIALS))
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "******");
+ if (tmp.containsKey(BIND_CREDENTIAL))
+ tmp.setProperty(BIND_CREDENTIAL, "******");
+ PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(tmp);
+ }
+
+ //JBAS-3438 : Handle "/" correctly
private String canonicalize(String searchResult)
{
String result = searchResult;
Modified: branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapLoginModule.java
===================================================================
--- branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapLoginModule.java 2013-10-23 16:28:18 UTC (rev 471)
+++ branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapLoginModule.java 2013-10-23 16:34:28 UTC (rev 472)
@@ -185,7 +185,8 @@
private static final String SEARCH_SCOPE_OPT = "searchScope";
private static final String SECURITY_DOMAIN_OPT = "jaasSecurityDomain";
private static final String ALLOW_EMPTY_PASSWORDS = "allowEmptyPasswords";
-
+ private static final String BIND_CREDENTIAL = "bindCredential";
+
private static final String[] ALL_VALID_OPTIONS =
{
PRINCIPAL_DN_PREFIX_OPT,
@@ -351,7 +352,7 @@
env.setProperty(Context.SECURITY_PRINCIPAL, userDN);
env.put(Context.SECURITY_CREDENTIALS, credential);
- PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(env);
+ this.traceLDAPEnv(env);
InitialLdapContext ctx = null;
ClassLoader currentTCCL = SecurityActions.getContextClassLoader();
@@ -544,4 +545,23 @@
}
}
}
+
+ /**
+ * <p>
+ * Logs the specified LDAP env, masking security-sensitive information (passwords).
+ * </p>
+ *
+ * @param env the LDAP env to be logged.
+ */
+ private void traceLDAPEnv(Properties env)
+ {
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ if (tmp.containsKey(Context.SECURITY_CREDENTIALS))
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "******");
+ if (tmp.containsKey(BIND_CREDENTIAL))
+ tmp.setProperty(BIND_CREDENTIAL, "******");
+ PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(tmp);
+ }
+
}
Modified: branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapUsersLoginModule.java
===================================================================
--- branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapUsersLoginModule.java 2013-10-23 16:28:18 UTC (rev 471)
+++ branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapUsersLoginModule.java 2013-10-23 16:34:28 UTC (rev 472)
@@ -278,7 +278,7 @@
env.setProperty(Context.SECURITY_PRINCIPAL, dn);
if (credential != null)
env.put(Context.SECURITY_CREDENTIALS, credential);
- PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(env);
+ this.traceLDAPEnv(env);
return new InitialLdapContext(env, null);
}
@@ -329,4 +329,23 @@
return userDN;
}
+
+ /**
+ * <p>
+ * Logs the specified LDAP env, masking security-sensitive information (passwords).
+ * </p>
+ *
+ * @param env the LDAP env to be logged.
+ */
+ private void traceLDAPEnv(Properties env)
+ {
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ if (tmp.containsKey(Context.SECURITY_CREDENTIALS))
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "******");
+ if (tmp.containsKey(BIND_CREDENTIAL))
+ tmp.setProperty(BIND_CREDENTIAL, "******");
+ PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(tmp);
+ }
+
}
Modified: branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/attribute/LdapAttributeMappingProvider.java
===================================================================
--- branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/attribute/LdapAttributeMappingProvider.java 2013-10-23 16:28:18 UTC (rev 471)
+++ branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/attribute/LdapAttributeMappingProvider.java 2013-10-23 16:34:28 UTC (rev 472)
@@ -316,12 +316,30 @@
env.setProperty(Context.SECURITY_PRINCIPAL, dn);
if (credential != null)
env.put(Context.SECURITY_CREDENTIALS, credential);
- PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(env);
+ this.traceLDAPEnv(env);
return new InitialLdapContext(env, null);
}
-
- private String[] getNeededAttributes(String commaSeparatedList)
+
+ /**
+ * <p>
+ * Logs the specified LDAP env, masking security-sensitive information (passwords).
+ * </p>
+ *
+ * @param env the LDAP env to be logged.
+ */
+ private void traceLDAPEnv(Properties env)
{
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ if (tmp.containsKey(Context.SECURITY_CREDENTIALS))
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "******");
+ if (tmp.containsKey(BIND_CREDENTIAL))
+ tmp.setProperty(BIND_CREDENTIAL, "******");
+ PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(tmp);
+ }
+
+ private String[] getNeededAttributes(String commaSeparatedList)
+ {
ArrayList<String> arrayList = new ArrayList<String>();
if (commaSeparatedList != null)
{
Modified: branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/role/LdapRolesMappingProvider.java
===================================================================
--- branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/role/LdapRolesMappingProvider.java 2013-10-23 16:28:18 UTC (rev 471)
+++ branches/eap62/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/role/LdapRolesMappingProvider.java 2013-10-23 16:34:28 UTC (rev 472)
@@ -260,7 +260,7 @@
env.setProperty(Context.SECURITY_PRINCIPAL, dn);
if (credential != null)
env.put(Context.SECURITY_CREDENTIALS, credential);
- PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(env);
+ this.traceLDAPEnv(env);
return new InitialLdapContext(env, null);
}
@@ -384,4 +384,22 @@
}
}
+ /**
+ * <p>
+ * Logs the specified LDAP env, masking security-sensitive information (passwords).
+ * </p>
+ *
+ * @param env the LDAP env to be logged.
+ */
+ private void traceLDAPEnv(Properties env)
+ {
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ if (tmp.containsKey(Context.SECURITY_CREDENTIALS))
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "******");
+ if (tmp.containsKey(BIND_CREDENTIAL))
+ tmp.setProperty(BIND_CREDENTIAL, "******");
+ PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(tmp);
+ }
+
}
More information about the jboss-cvs-commits
mailing list