Bug 1199641

This problem is not present in EAP 6.4 (picketbox 4.1.1) anymore.

Description of problem:

The bind Credential are being logged:

2015-03-19 19:33:28,569 TRACE [org.jboss.security.auth.spi.AbstractServerLoginModule] (http-localhost/127.0.0.1:8080-1) Logging into LDAP server, env={baseFilter=(userPrincipalName={0}), java.naming.security.credentials=***, jboss.security.security_domain=SPNEGO, java.naming.ldap.attributes.binary=objectSid, password-stacking=useFirstPass, recurseRoles=false, java.naming.security.authentication=simple, baseCtxDN=DC=example,DC=com, roleAttributeIsDN=true, rolesCtxDN=DC=example,DC=com, java.naming.security.principal=bindUser, allowEmptyPassword=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://127.0.0.1:389, roleNameAttributeID=cn, roleAttributeID=memberOf, bindDN=bindUser, bindCredential=password}


Version-Release number of selected component (if applicable): EAP 6.2.4


How reproducible:
Setup the Ldap configurations and enable the TRACE log level.

Steps to Reproduce:
Setup the Ldap configurations and enable the TRACE log level and test a simple login page against the login-moule.

Actual results:
Bind Credential is logged.

Expected results:
The password should be masked.

Additional info:
Actually we have:

protected void traceLdapEnv(Properties env)
   {
      if (trace)
      {
         Properties tmp = new Properties();
         tmp.putAll(env);
         String credentials = tmp.getProperty(Context.SECURITY_CREDENTIALS);
         if (credentials != null && credentials.length() > 0)
            tmp.setProperty(Context.SECURITY_CREDENTIALS, "***");
         log.trace("Logging into LDAP server, env=" + tmp.toString());
      }
   }

The traceLdapEnv should looks like:

 protected void traceLdapEnv(Properties env)
   {
      if (trace)
      {
         Properties tmp = new Properties();
         tmp.putAll(env);
         String credentials = tmp.getProperty(Context.SECURITY_CREDENTIALS);
         String bindCredential = tmp.getProperty(BIND_CREDENTIAL);
         if (credentials != null && credentials.length() > 0)
            tmp.setProperty(Context.SECURITY_CREDENTIALS, "***");
  
         if (bindCredential != null && bindCredential.length() > 0)
            tmp.setProperty(BIND_CREDENTIAL, "***");

         log.trace("Logging into LDAP server, env=" + tmp.toString());
      }
   }

PR is up: https://github.com/wildfly-security/jboss-negotiation/pull/21

Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-877 to Resolved

Please provide test (as discussed with Carlo) to include this in CP01 payload.
I will qa_ack afterwards.

Verified in EAP 6.4.1.CR2

Can we use VAULT to not put the plain password in the host.xml file?

Yes, vault can be used to mask passwords also in host.xml file. Follow the steps in Security Guide: https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/html-single/Security_Guide/index.html#chap-Secure_Passwords_and_Other_Sensitive_Strings_with_Password_Vault
and place vault configuration here:

<host name="master" xmlns="urn:jboss:domain:1.7">
     <vault>
     ...
     </vault>
     <management>

> Can we use VAULT to not put the plain password in the host.xml file?

Note that is completely unrelated to the issue on this BZ.

Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.

Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.