From 2445d4b2b80671bdcefbd4ed81f394a5249ee13d Mon Sep 17 00:00:00 2001
From: mereth <mereth78@gmail.com>
Date: Tue, 19 Aug 2014 01:13:37 +0200
Subject: [PATCH] fix misstyped passwords leaked in log files with redmine auth
 provider

---
 src/main/java/com/gitblit/auth/RedmineAuthProvider.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
index 7e957ecb..e505a54d 100644
--- a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
@@ -153,15 +153,16 @@ public class RedmineAuthProvider extends UsernamePasswordAuthenticationProvider
         if (!url.endsWith("/")) {
         	url = url.concat("/");
         }
+        String apiUrl = url + "users/current.json";
+        
         HttpURLConnection http;
         if (username == null) {
         	// apikey authentication
         	String apiKey = String.valueOf(password);
-        	String apiUrl = url + "users/current.json?key=" + apiKey;
         	http = (HttpURLConnection) ConnectionUtils.openConnection(apiUrl, null, null);
+            http.addRequestProperty("X-Redmine-API-Key", apiKey);
         } else {
         	// username/password BASIC authentication
-        	String apiUrl = url + "users/current.json";
         	http = (HttpURLConnection) ConnectionUtils.openConnection(apiUrl, username, password);
         }
         http.setRequestMethod("GET");
-- 
2.39.5