Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.0.0-M24
-
None
-
None
Description
It is a bad practice to log credentials (e.g. LDAP bind request). There are several places where bindContext is logged. See class AuthenticatorInterceptor:
LOG.info("Authenticator {} failed to authenticate: {}", authenticator, bindContext);
LOG.info("Unexpected failure for Authenticator {} : {}", authenticator, bindContext);
This will result in:
failed to authenticate: BindContext for Dn 'uid=avthart@gmail.com,ou=vanadenovation', credentials <0x6D 0x79 0x76 0x65 0x72 0x79 0x73 0x65 0x63 0x72 0x65 0x74 0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64>