[jboss-jira] [JBoss JIRA] (SECURITY-877) WildFLy is Logging LDAP Bind Credential Password for SPNEGO code

Filippe Spolti (JIRA) issues at jboss.org
Mon Mar 23 12:22:18 EDT 2015 

    [ https://issues.jboss.org/browse/SECURITY-877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13052667#comment-13052667 ] 

Filippe Spolti commented on SECURITY-877:
-----------------------------------------

Tested:
09:09:06,416 TRACE [org.jboss.security.auth.spi.AbstractServerLoginModule] (http-/0.0.0.0:8080-1) Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleNameAttributeID=cn, java.naming.security.principal=test, password-stacking=useFirstPass, baseCtxDN=CN=Users,DC=jbossuk,DC=com, java.naming.ldap.attributes.binary=objectSid, roleAttributeID=memberOf, baseFilter=(sAMAccountName={0}), jboss.security.security_domain=SPNEGO, java.naming.provider.url=ldap://localhost:389, allowEmptyPassword=true, roleAttributeIsDN=true, bindDN=test, bindCredential=***, java.naming.security.authentication=simple, recurseRoles=true, java.naming.security.credentials=***}

> WildFLy is Logging LDAP Bind Credential Password for SPNEGO code
> ----------------------------------------------------------------
>
>                 Key: SECURITY-877
>                 URL: https://issues.jboss.org/browse/SECURITY-877
>             Project: PicketBox 
>          Issue Type: Bug
>          Components: Negotiation
>    Affects Versions: Negotiation_2_3_6_Final
>         Environment: Wildfly is logging the bindCredentials when using SPNEGO
>            Reporter: Filippe Spolti
>            Assignee: Filippe Spolti
>            Priority: Minor
>
> The bind Credential are being logged:
> 2015-03-19 19:33:28,569 TRACE [org.jboss.security.auth.spi.AbstractServerLoginModule] (http-localhost/127.0.0.1:8080-1) Logging into LDAP server, env={baseFilter=(userPrincipalName={0}), java.naming.security.credentials=***, jboss.security.security_domain=SPNEGO, java.naming.ldap.attributes.binary=objectSid, password-stacking=useFirstPass, recurseRoles=false, java.naming.security.authentication=simple, baseCtxDN=DC=example,DC=com, roleAttributeIsDN=true, rolesCtxDN=DC=example,DC=com, java.naming.security.principal=bindUser, allowEmptyPassword=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://127.0.0.1:389, roleNameAttributeID=cn, roleAttributeID=memberOf, bindDN=bindUser, bindCredential=password}



--
This message was sent by Atlassian JIRA
(v6.3.11#6341)

More information about the jboss-jira mailing list