You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2018/01/23 07:24:00 UTC

[jira] [Resolved] (DIRSERVER-2220) ApacheDS should not log credentials

     [ https://issues.apache.org/jira/browse/DIRSERVER-2220?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emmanuel Lecharny resolved DIRSERVER-2220.
------------------------------------------
       Resolution: Fixed
    Fix Version/s: 2.0.0-M25

Fixed with commit 1399b77e0205b8b5dd8f67fe188f8fc99979ca8e

> ApacheDS should not log credentials
> -----------------------------------
>
>                 Key: DIRSERVER-2220
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2220
>             Project: Directory ApacheDS
>          Issue Type: Bug
>            Reporter: Albert van 't Hart
>            Priority: Major
>             Fix For: 2.0.0-M25
>
>
> It is a bad practice to log credentials (e.g. LDAP bind request). There are several places where bindContext is logged. See class *AuthenticatorInterceptor*:
> {code:java}
> LOG.info("Authenticator {} failed to authenticate: {}", authenticator, bindContext);{code}
> {code:java}
> LOG.info("Unexpected failure for Authenticator {} : {}", authenticator, bindContext);{code}
> This will result in:
>  
> {code:java}
> failed to authenticate: BindContext for Dn 'uid=avthart@gmail.com,ou=vanadenovation', credentials <0x6D 0x79 0x76 0x65 0x72 0x79 0x73 0x65 0x63 0x72 0x65 0x74 0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64> 
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)