[
https://issues.apache.org/jira/browse/DIRSERVER-2220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16335435#comment-16335435
]
Emmanuel Lecharny commented on DIRSERVER-2220:
----------------------------------------------
You are absolutely right ! There are other places where we specifically omit
the credentials for the exact same reason, this one has just been missed...
Fixed with commit 1399b77e0205b8b5dd8f67fe188f8fc99979ca8e
Thanks for the heads up !
> ApacheDS should not log credentials
> -----------------------------------
>
> Key: DIRSERVER-2220
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2220
> Project: Directory ApacheDS
> Issue Type: Bug
> Reporter: Albert van 't Hart
> Priority: Major
> Fix For: 2.0.0-M25
>
>
> It is a bad practice to log credentials (e.g. LDAP bind request). There are
> several places where bindContext is logged. See class
> *AuthenticatorInterceptor*:
> {code:java}
> LOG.info("Authenticator {} failed to authenticate: {}", authenticator,
> bindContext);{code}
> {code:java}
> LOG.info("Unexpected failure for Authenticator {} : {}", authenticator,
> bindContext);{code}
> This will result in:
>
> {code:java}
> failed to authenticate: BindContext for Dn
> '[email protected],ou=vanadenovation', credentials <0x6D 0x79 0x76 0x65
> 0x72 0x79 0x73 0x65 0x63 0x72 0x65 0x74 0x70 0x61 0x73 0x73 0x77 0x6F 0x72
> 0x64>
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
