tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Avoiding username/password being logged into localhost access logs
Date Thu, 23 Apr 2009 19:50:25 GMT
Dan Armbrust wrote:
> Sounds like a good enhancement request to me.  It's certainly
> reasonable that one should be able to ask Tomcat to never ever log a
> password in clear text.  In fact, it seems like that should be the
> default setting.

How is Tomcat meant to determine that data in the URL is a password and
needs to be filtered?

> I imagine there are all sorts of places that (rightfully) have
> policies against storing a clear text password anywhere.

The only reason you are seeing the password in the access logs appears
to be the fact that the application is including in the URL. No
authentication scheme provided by Tomcat does this. This is an
application issue (it should be using POST rather than GET) not a Tomcat
one.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message