tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: JAASCallbackHandler clear password in the log file
Date Mon, 24 Nov 2003 13:51:07 GMT
IMO, no. In a production environment:
1) The debug should not turned up that high
2) If its a production box, file permissions as well as people able to log 
into the box should be trusted.


Yann GUEVEL wrote:

> Hi,
> if the debug level is > 3,  the 
> org.apache.catalina.realm.JAASCallbackHandler.handle method writes in 
> the log file the login and password it received (tomcat 4.1.29 
>, line 155). So any people who can access the 
> machine on which Tomcat is running can see all the login and passwords 
> used. Isn't this unsafe ? Should'nt this log be removed ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message