tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yann GUEVEL" <>
Subject JAASCallbackHandler clear password in the log file
Date Mon, 24 Nov 2003 13:07:15 GMT

if the debug level is > 3,  the 
org.apache.catalina.realm.JAASCallbackHandler.handle method writes in the 
log file the login and password it received (tomcat 4.1.29, line 155). So any people who can access the 
machine on which Tomcat is running can see all the login and passwords used. 
Isn't this unsafe ? Should'nt this log be removed ?

Thank for your answers.


MSN 8 with e-mail virus protection service: 2 months FREE*

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message