Albert van 't Hart created DIRSERVER-2220:
---------------------------------------------
Summary: ApacheDS should not log credentials
Key: DIRSERVER-2220
URL: https://issues.apache.org/jira/browse/DIRSERVER-2220
Project: Directory ApacheDS
Issue Type: Bug
Reporter: Albert van 't Hart
It is a bad practice to log credentials (e.g. LDAP bind request). There are
several places where bindContext is logged. See class
*AuthenticatorInterceptor*:
{code:java}
LOG.info("Authenticator {} failed to authenticate: {}", authenticator,
bindContext);{code}
{code:java}
LOG.info("Unexpected failure for Authenticator {} : {}", authenticator,
bindContext);{code}
This will result in:
{code:java}
failed to authenticate: BindContext for Dn
'[email protected],ou=vanadenovation', credentials <0x6D 0x79 0x76 0x65
0x72 0x79 0x73 0x65 0x63 0x72 0x65 0x74 0x70 0x61 0x73 0x73 0x77 0x6F 0x72
0x64>
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
