fix misstyped passwords leaked in log files with redmine auth provider

author mereth <mereth78@gmail.com>

Mon, 18 Aug 2014 23:13:37 +0000 (01:13 +0200)

committer mereth <mereth78@gmail.com>

Mon, 18 Aug 2014 23:13:37 +0000 (01:13 +0200)
author mereth <mereth78@gmail.com>
Mon, 18 Aug 2014 23:13:37 +0000 (01:13 +0200)
committer mereth <mereth78@gmail.com>
Mon, 18 Aug 2014 23:13:37 +0000 (01:13 +0200)
diff --git a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java

index 7e957ecbbc91b668f1051b7594c5741cd4f7c50d..e505a54d37dd6cf0b26e1698fcbc81e73a960bb2 100644 (file)
--- a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
@@ -153,15 +153,16 @@ public class RedmineAuthProvider extends UsernamePasswordAuthenticationProvider
          if (!url.endsWith("/")) {
                 url = url.concat("/");
          }
+        String apiUrl = url + "users/current.json";
+        
          HttpURLConnection http;
          if (username == null) {
                 // apikey authentication
                 String apiKey = String.valueOf(password);
-               String apiUrl = url + "users/current.json?key=" + apiKey;
                 http = (HttpURLConnection) ConnectionUtils.openConnection(apiUrl, null, null);
+            http.addRequestProperty("X-Redmine-API-Key", apiKey);
          } else {
                 // username/password BASIC authentication
-               String apiUrl = url + "users/current.json";
                 http = (HttpURLConnection) ConnectionUtils.openConnection(apiUrl, username, password);
          }
          http.setRequestMethod("GET");
author	mereth <mereth78@gmail.com>
	Mon, 18 Aug 2014 23:13:37 +0000 (01:13 +0200)
committer	mereth <mereth78@gmail.com>
	Mon, 18 Aug 2014 23:13:37 +0000 (01:13 +0200)