Message:
A new issue has been created in JIRA.
---------------------------------------------------------------------
View the issue:
http://opensource.atlassian.com/projects/hibernate/secure/ViewIssue.jspa?key=HB-394
Here is an overview of the issue:
---------------------------------------------------------------------
Key: HB-394
Summary: Security : Avoid printing password information in log files
Type: Improvement
Status: Unassigned
Priority: Minor
Project: Hibernate2
Components:
core
Versions:
2.0.3
Assignee:
Reporter: John Walshe
Created: Sun, 12 Oct 2003 12:47 AM
Updated: Sun, 12 Oct 2003 12:47 AM
Description:
Currently the user password is being written in the log files. For security purposes can it be masked out, ie '?????' ?
Atleast two method need to be changed.
------------------------
CLASS: net.sf.hibernate.connectionDriverManagerConnectionProvider
METHOD: configure()
FROM:
log.info( "using driver: " + driverClass + " at URL: " + url );
log.info("connection properties: " + connectionProps);
TO:
Properties connectionPropsClone = (Properties)connectionProps.clone();
connectionPropsClone.put("password", "?????????");
log.info( "using driver: " + driverClass + " at URL: " + url );
log.info("connection properties: " + connectionPropsClone);
------------------------
CLASS: net.sf.hibernate.impl.SessionFactoryImpl
METHOD: ()
FROM:
if ( log.isDebugEnabled() ) log.debug("instantiating session factory with properties: " + properties);
TO:
if ( log.isDebugEnabled() ) {
// Take a copy of the properties and blank out the password field
Properties propsClone = (Properties)properties.clone();
propsClone.put("hibernate.connection.password", "?????????");
log.debug("instantiating session factory with properties: " + propsClone);
}
---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
|
