tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yann GUEVEL" <yanng...@hotmail.com>
Subject Re: JAASCallbackHandler clear password in the log file
Date Tue, 25 Nov 2003 08:24:31 GMT
Hi,

I agree with you but :
1- Even if I trust the administrator of this production environment, I'm not 
beyond making a mistake : the administrator may be dishonest and then can 
get the login and passwords and ruse them (the action he does awould then 
appear as normal one).
2- In no system the administrator can see the password of a user. He can 
only reset it (such an action produces a log).
3- I think the the JAAS realm is the only one which produces such logs. So 
if it is normal why the other realms (JDBC, JNDI...) wouldn't do the same ?

Yann


>From: Tim Funk <funkman@joedog.org>
>Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
>To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
>Subject: Re: JAASCallbackHandler clear password in the log file
>Date: Mon, 24 Nov 2003 08:51:07 -0500
>
>IMO, no. In a production environment:
>1) The debug should not turned up that high
>2) If its a production box, file permissions as well as people able to log 
>into the box should be trusted.
>
>
>-Tim
>
>Yann GUEVEL wrote:
>
>>Hi,
>>
>>if the debug level is > 3,  the 
>>org.apache.catalina.realm.JAASCallbackHandler.handle method writes in the 
>>log file the login and password it received (tomcat 4.1.29 
>>JAASCallbackHandler.java, line 155). So any people who can access the 
>>machine on which Tomcat is running can see all the login and passwords 
>>used. Isn't this unsafe ? Should'nt this log be removed ?
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>

_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message