[jboss-jira] [JBoss JIRA] Reopened: (JBAS-3181) LdapExtLoginModule should not log password in TRACE mode

Ryan Campbell (JIRA) jira-events at jboss.com
Wed Aug 30 23:51:44 EDT 2006 

     [ http://jira.jboss.com/jira/browse/JBAS-3181?page=all ]

Ryan Campbell reopened JBAS-3181:
---------------------------------

      Assignee: Ryan Campbell  (was: Anil Saldhana)
             

> LdapExtLoginModule should not log password in TRACE mode
> --------------------------------------------------------
>
>                 Key: JBAS-3181
>                 URL: http://jira.jboss.com/jira/browse/JBAS-3181
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-4.0.3 SP1
>            Reporter: Anil Saldhana
>         Assigned To: Ryan Campbell
>            Priority: Critical
>             Fix For: JBossAS-4.0.4.GA
>
>
> If you look at the implementation of the method
> private InitialLdapContext constructInitialLdapContext(String dn, Object credential) throws NamingException
>    {
>       Properties env = new Properties();
>       Iterator iter = options.entrySet().iterator(); 
>       ...
>       env.setProperty(Context.PROVIDER_URL, providerURL);
>       env.setProperty(Context.SECURITY_PRINCIPAL, dn);
>       env.put(Context.SECURITY_CREDENTIALS, credential);
>       super.log.trace("Logging into LDAP server, env=" + env);
>       return new InitialLdapContext(env, null);
>    }
> The last few lines will unknowingly log the security credentials of the user. This is bad (legally) for corporate users.
> The lines should read as follows:
> =======================================
> env.setProperty(Context.PROVIDER_URL, providerURL);
>       env.setProperty(Context.SECURITY_PRINCIPAL, dn);
>       super.log.trace("Logging into LDAP server, env=" + env);
>       env.put(Context.SECURITY_CREDENTIALS, credential);
>       return new InitialLdapContext(env, null);
> ================================================

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list