How to solve - Apache Ftp Client library is printing password on console

June 03, 2018

Problem Statement

Apache provides lot of libraries for common utility functions for Java. One such common library is FTP library which provides better functionality to do FTP and FTPS calls. The reference to apache ftp library is: Apache Ftp

The problem comes while using FTPS. When developer uses login method of this library while authentication, it prints username and password in console, which is a huge security concern. Also, it exposes user credentials to logs. And, anyone can read those credentials if he or she has access to those logs.

Example

FTPClient ftpClient = null;
FTPSClient ftps = new FTPSClient("TLS", false);

//accept all for now
ftps.setTrustManager(TrustManagerUtils.getAcceptAllTrustManager());

//verbose
ftps.addProtocolCommandListener(
  new PrintCommandListener( new PrintWriter(new OutputStreamWriter(System.out, "UTF-8"), true)));

ftpClient = ftps;
//set connect timeout

ftpClient.setConnectTimeout(config.getConnectTimeout());
ftpClient.connect(host);
ftps.execPROT("P");
//SSL mode

if(ftpClient.login(username, password)) {
  //successfully login
}
else {
  //error condition
}

Example output:

``` 220-Isilon OneFS v7.2.1.1 220 AUTH TLS 234 Proceed with negotiation. PROT P 200 PROT now Private. USER USERNAME 331 Please specify the password. PASS PASSWORD ```

The Solution

For best security practices, we should not put passwords anywhere in logs. Lets come to the solution for this problem. We need to modify the code a little bit for this mess. See below code:

 FTPClient ftpClient = null;
 FTPSClient ftps = new FTPSClient("TLS", false);

 //accept all for now
 ftps.setTrustManager(TrustManagerUtils.getAcceptAllTrustManager());

 //verbose
 ftps.addProtocolCommandListener(new ProtocolCommandListener() {
  @Override public void protocolReplyReceived(ProtocolCommandEvent arg0) { }
  @Override public void protocolCommandSent(ProtocolCommandEvent arg0) { }
 });

 ftpClient = ftps;

 //set connect timeout
 ftpClient.setConnectTimeout(config.getConnectTimeout());

 ftpClient.connect(host);

 ftps.execPROT("P");
 //SSL mode
 if(ftpClient.login(username, password)) {
   //successfully login
 }
 else {
   //error condition
 }

Result

Now, you will not see previous mess in console, or in logs.

Note: Above code is just to show the problem of showing passwords in concole. I will write a complete better implementation of ftp and ftps apis.

apache ftp security

Latest Posts

Jenkins Pipeline with Jenkinsfile - How To Schedule Job on Cron and Not on Code Commit

How to solve - Apache Ftp Client library is printing password on console

Problem Statement

Example

Example output:

The Solution

Result

Similar Posts

How to Fix Drupal Mysql error - Communication link failure: 1153 Got a packet bigger than 'max_allowed_packet' bytes

Drupal 8 - How to show view user data to owner user only

Drupal 8 - How to hide help link About text formats and text format guidelines

ReactJS - Understanding SetState Asynchronous Behavior and How to correctly use it

Python SMTP Email Code - Sender Address Rejected - Not Owned By User

ReactJS - How to pass method to component and how to pass arguments to method

Latest Posts

Jenkins Pipeline with Jenkinsfile - How To Schedule Job on Cron and Not on Code Commit

How to Git Clone Another Repository from Jenkin Pipeline in Jenkinsfile

How to Fetch Multiple Credentials and Expose them in Environment using Jenkinsfile pipeline

Jenkins Pipeline - How to run Automation on Different Environment (Dev/Stage/Prod), with Credentials

Jenkinsfile - How to Create UI Form Text fields, Drop-down and Run for Different Conditions

Java Log4j Logger - Programmatically Initialize JSON logger with customized keys in json logs