-->
These old forums are deprecated now and set to read-only. We are waiting for you on our new forums!
More modern, Discourse-based and with GitHub/Google/Twitter authentication built-in.

View unanswered posts | View active topics


Board index » Hibernate & Java Persistence » Hibernate Users

All times are UTC - 5 hours [ DST ]


Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 7 posts ] 
  Previous topic | Next topic 
Author Message
jiunjiunma
 Post subject: hibernate log db password without encryption
PostPosted: Thu Feb 24, 2005 5:10 pm 
Beginner
Beginner

Joined: Mon Nov 15, 2004 8:32 pm
Posts: 36
Hi,
I am using hibernate with c3p0. I notice the database password is written to the log file without any encryption (through the logging of hibernate properties and c3p0 output to stderr). Is there a way for hibernate to log the properties with password encrypted (or removed)? Is there any option other than turning off the hibernate logging?

Thanks,
--Jiunjiun

Read the rules before posting!
http://www.hibernate.org/ForumMailingli ... AskForHelp

[b]Hibernate version:[/b]
2.1.7

[b]Mapping documents:[/b]

[b]Code between sessionFactory.openSession() and session.close():[/b]

[b]Full stack trace of any exception that occurs:[/b]

[b]Name and version of the database you are using:[/b]
postgres 7.3.x

[b]The generated SQL (show_sql=true):[/b]

[b]Debug level Hibernate log excerpt:[/b]
Top
 Profile  
 
duane5000
 Post subject: Not really a production problem
PostPosted: Thu Feb 24, 2005 6:52 pm 
Newbie

Joined: Wed Feb 23, 2005 3:34 pm
Posts: 16
Location: Irving, Tx
When server/container is started in DEBUG mode(log4j.properties), Hibernate will print all session properties. You need only restart in mode ERROR and this will only be evident when developers are debugging.
Top
 Profile  
 
duane5000
 Post subject:
PostPosted: Thu Feb 24, 2005 6:56 pm 
Newbie

Joined: Wed Feb 23, 2005 3:34 pm
Posts: 16
Location: Irving, Tx
If I'm wrong in that last suggestion, try modifying the source.


- Life is better Open GPL
Top
 Profile  
 
jiunjiunma
 Post subject:
PostPosted: Thu Feb 24, 2005 7:02 pm 
Beginner
Beginner

Joined: Mon Nov 15, 2004 8:32 pm
Posts: 36
I don't think I start hibernate in DEBUG mode. Is it the default mode?
Top
 Profile  
 
duane5000
 Post subject:
PostPosted: Thu Feb 24, 2005 7:24 pm 
Newbie

Joined: Wed Feb 23, 2005 3:34 pm
Posts: 16
Location: Irving, Tx
I'm not sure about defaults but...

see if you have a file log4j.properties in your classpath.
change any occurance of "=DEBUG" to "=ERROR"
Top
 Profile  
 
swaldman
 Post subject:
PostPosted: Fri Feb 25, 2005 4:58 am 
C3P0 Developer
C3P0 Developer

Joined: Tue Jan 06, 2004 8:58 pm
Posts: 145
Hi.

Try upgrading to a more recent c3p0 (0.8.5). Recent c3p0's mask username and password when dumping config params.

(Logging as of c3p0-0.8.5 is still to stderr, rather than configurable via logging libs. Under usual circumstances, c3p0 logs very little, although when errors or unexpected conditions occur you'll see them. The next rev will have a means of adapting c3p0's output to configurable logging libraries.)

smiles,
Steve (c3p0 guy)
Top
 Profile  
 
hibernatesaf
 Post subject:
PostPosted: Wed May 18, 2005 3:36 pm 
Newbie

Joined: Wed May 18, 2005 11:30 am
Posts: 6
Dont know that I agree that this is not a production problem. What stops a knowledgable hacker from changing the logging properties file to use the appropriate level to get the password printed out? Granted it obscures it more, but does not secure it.

Obviously its valuable to have this information when debugging, but, IMHO, given the security hole it creates I dont see it as being worth it.

Steve
Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 7 posts ] 

Board index » Hibernate & Java Persistence » Hibernate Users

All times are UTC - 5 hours [ DST ]

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
© Copyright 2014, Red Hat Inc. All rights reserved. JBoss and Hibernate are registered trademarks and servicemarks of Red Hat, Inc.