tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: JAASCallbackHandler clear password in the log file
Date Mon, 24 Nov 2003 13:51:07 GMT
IMO, no. In a production environment:
1) The debug should not turned up that high
2) If its a production box, file permissions as well as people able to log 
into the box should be trusted.


-Tim

Yann GUEVEL wrote:

> Hi,
> 
> if the debug level is > 3,  the 
> org.apache.catalina.realm.JAASCallbackHandler.handle method writes in 
> the log file the login and password it received (tomcat 4.1.29 
> JAASCallbackHandler.java, line 155). So any people who can access the 
> machine on which Tomcat is running can see all the login and passwords 
> used. Isn't this unsafe ? Should'nt this log be removed ?



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message