hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: turning on httpclient debug log results in password in clear text in the logs
Date Thu, 21 Feb 2013 07:59:47 GMT
On Wed, 2013-02-20 at 15:21 -0800, yogesh kamat wrote:
> Hello,
> 
> I am using httpclient 4.1.3 to authenticate with a CAS server using basic authentication
and POST. When I turn on debug logs for the java process, this results in my password being
logged in clear text in the logs.(through httpclient wire logging) Is this expected? Any way
around this other than sending an encrypted password in the first place?
> 
> Thanks.
> 

Yogesh

Yes, it is. HttpClient does not attempt to obfuscate security sensitive
information contained in message headers or body. You should not be
using header / wire logging in productive environments.

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message