We were working on a legacy system this week, and I noticed a database account was being locked every day. But I couldn't understand why that was happening.
Turns out that for integration tests, the data access layer had a base class that would retrieve connections and, if a connection could not be created from the datasource, then it would read the EntityManagerFactory's properties like user, password, JDBC URL, and schema.
It was working with Hibernate 3 or 4 I believe. But since we updated to 5.2.12, and as I was working exactly with integration tests, instead of the user password, it was getting '****'.
After some research I found where it was happening.
The code doesn't seem to be very consistent. It seems to be encrypting the property from JPA JDBC user name, and the Hibernate password. But leaving the JPA JDBC password, and the Hibernate user as plain text.
The pull request for this ticket masks all four properties. The Environment class also includes similar code, but masks only the Hibernate password. I believe it is correct, as it looks like the Environment class is not applicable for JPA, but only for Hibernate.
Hope it makes sense.
Happy to update the pull request's branch if necessary.
And thanks for such an amazing project.
Hibernate 5.2.12 + JPA 1