From 04bc3c75355c09c3678804eb055778ec481d2647 Mon Sep 17 00:00:00 2001
From: Shinsuke Sugaya <shinsuke@apache.org>
Date: Sun, 15 Mar 2026 17:05:23 +0900
Subject: [PATCH] fix(security): mask Authorization header value in SPNEGO
 error messages

Prevent leaking Kerberos/NTLM tokens or Base64-encoded credentials
in exception messages and debug logs when SPNEGO authentication fails.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../codelibs/fess/sso/spnego/SpnegoAuthenticator.java | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/codelibs/fess/sso/spnego/SpnegoAuthenticator.java b/src/main/java/org/codelibs/fess/sso/spnego/SpnegoAuthenticator.java
index 90f15e88ce..2b25f5a6c7 100644
--- a/src/main/java/org/codelibs/fess/sso/spnego/SpnegoAuthenticator.java
+++ b/src/main/java/org/codelibs/fess/sso/spnego/SpnegoAuthenticator.java
@@ -188,7 +188,16 @@ public LoginCredential getLoginCredential() {
                     logger.debug("principal={}", principal);
                 }
             } catch (final Exception e) {
-                final String msg = "Failed to process Authorization Header: " + request.getHeader(Constants.AUTHZ_HEADER);
+                final String authzHeader = request.getHeader(Constants.AUTHZ_HEADER);
+                final String maskedHeader;
+                if (authzHeader == null) {
+                    maskedHeader = "null";
+                } else if (authzHeader.length() <= 10) {
+                    maskedHeader = "***";
+                } else {
+                    maskedHeader = authzHeader.substring(0, 10) + "***";
+                }
+                final String msg = "Failed to process Authorization Header: " + maskedHeader;
                 if (logger.isDebugEnabled()) {
                     logger.debug(msg);
                 }