You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Terry Orechia <To...@comcast.net> on 2006/05/26 15:35:38 UTC
HOWTO remove username/password from logging to tomcat logs
How do I control the logging of username/password in tomcat logs when a user logs into the tomcat website. There are no logging statements in my servlet to print this data and there is no code to catch the login request . Each time a user logs into the website , the username and password are logged. I am running tomcat 4.1 on debian with Tomcat/Apache JK2 Connector and log4j. I am using .Form Based Authentication using Memory Realm via tomcat-users.xml file. I have also noticed that when I upload a file using multipart/form data on http Post request to servlet, the complete contents of the file gets logged in the tomcat logs in the same way. The log entry looks lilke a dump of the http data. I have been googling the Internet trying to solve this one and looking through the tomcat docs but cannot find any place where the logging level controls this data in http content from dumping to the tomcat logs. Any ideas would be appreciated.
Here is the contents of the statement I am trying to remove in my catalina.log that appears when I login as username "demo" and password "dddd".
---
12 34 00 21 00 1f 6a 5f 75 73 65 72 6e 61 6d 65 | .4.!..j_username
3d 64 65 6d 6f 26 6a 5f 70 61 73 73 77 6f 72 64 | =demo&j_password
3d 64 64 64 64 | =dddd
--
Here is the server.xml for 4.1 Debian, vorlab is the context:
<server port ="8005" shutdown="SHUTDOWN " debug="0"/>
<!-- Uncomment these entries to enable JMX MBeans support -->
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
debug="0"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
debug="0"/>
<!-- Global JNDI resources -->
<GlobalNamingResources>
<!-- Test entry for demonstration purposes -->
<Environment name="simpleValue" type="java.lang.Integer" value="30"/>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved">
</Resource>
<ResourceParams name="UserDatabase">
<parameter>
<name>factory</name>
<value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
</parameter>
<parameter>
<name>pathname</name>
<value>conf/tomcat-users.xml</value>
</parameter>
</ResourceParams>
</GlobalNamingResources>
<!-- Define the Tomcat Stand-Alone Service -->
<Service name="Tomcat-Standalone">
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Each Connector passes requests on to the
associated "Container" (normally an Engine) for processing.
-->
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8180" minProcessors="5" maxProcessors="75"
enableLookups="true" acceptCount="10" debug="0"
connectionTimeout="20000" useURIValidationHack="false" />
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8080" minProcessors="5" maxProcessors="75"
enableLookups="true" acceptCount="10" debug="0"
connectionTimeout="20000" useURIValidationHack="false" />
<!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8009" minProcessors="5" maxProcessors="75"
enableLookups="true" acceptCount="10" debug="0"
connectionTimeout="20000" useURIValidationHack="false"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host). -->
<!-- Define the top level container in our container hierarchy -->
<Engine name="Standalone" defaultHost="localhost" debug="0">
<!-- Global logger unless overridden at lower levels -->
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_" suffix=".log" timestamp="true"/>
<!-- Because this Realm is here, an instance will be shared globally -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>
<!-- Define the default virtual host -->
<Host name="localhost" debug="0" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- Logger shared by all Contexts related to this virtual host. -->
<Logger className="org.apache.catalina.logger.FileLogger"
directory="logs" prefix="localhost_" suffix=".log"
timestamp="true"/>
<!-- Allow symlinks for the tomcat-docs webapp. This is required in
the Debian packages to make the Servlet/JSP API docs work. -->
<Context path="/tomcat-docs" docBase="tomcat-docs" debug="0">
<Resources className="org.apache.naming.resources.FileDirContext"
allowLinking="true" />
</Context>
<Context path="" docBase="ROOT" debug="0">
<Resources className="org.apache.naming.resources.FileDirContext"
allowLinking="true" />
</Context>
<Context className="org.apache.catalina.core.StandardContext" allowLinking="true" backgroundProcessorDelay="-1" cachingAllowed="true" charsetMapperClass="org.apache.catalina.util.CharsetMapper" cookies="true" crossContext="false" debug="0" docBase="/projects/vorl" domain="Catalina" engineName="Catalina" j2EEApplication="none" j2EEServer="none" lazy="true" managerChecksFrequency="6" path="/vorlab" privileged="false" reloadable="false" startupTime="0" swallowOutput="false" tldScanTime="0" useNaming="true" wrapperClass="org.apache.catalina.core.StandardWrapper">
<Resources className="org.apache.naming.resources.FileDirContext" allowLinking="true"/>
<Resource name="jdbc/MYSQLDB"
auth="Container"
type="javax.sql.DataSource"/>
<ResourceParams name="jdbc/MYSQLDB">
<parameter>
<name>factory</name>
<value>org.apache.commons.dbcp.BasicDataSourceFactory</value>
</parameter>
<!-- Class name for mm.mysql JDBC driver -->
<parameter>
<name>driverClassName</name>
<value>com.mysql.jdbc.Driver</value>
</parameter>
<parameter>
<name>url</name>
<value>jdbc:mysql://localhost/vorlab?autoReconnect=true&zeroDateTimeBehavior=convertToNull&jdbcCompliantTruncation=false</value>
</parameter>
</ResourceParams></Context>
</Host>
</Engine>
</Service>
</Server>
Here is the relevant web.xml:
<?xml version="1.0" encoding="ISO-8859-1" ?>
- <web-app>
<display-name>VORLAB</display-name>
<description>WebSite</description>
- <resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/MYSQLDB</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
- <servlet>
<servlet-name>dblist</servlet-name>
<display-name>The work-horse servlet</display-name>
<description>The work-horse servlet</description>
<servlet-class>biotree.http.HttpList</servlet-class>
- <init-param>
<param-name>propFile</param-name>
<param-value>access.properties</param-value>
</init-param>
</servlet>
<servlet-name>logconfig</servlet-name>
<display-name>The logging servlet</display-name>
<description>The logging servlet</description>
<servlet-class>LogServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
- <servlet-mapping>
<servlet-name>dblist</servlet-name>
<url-pattern>/dblist</url-pattern>
</servlet-mapping>
- <servlet-name>logconfig</servlet-name>
<url-pattern>/logconfig</url-pattern>
</servlet-mapping>
- <security-constraint>
- <web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
- <auth-constraint>
<role-name>provider</role-name>
</auth-constraint>
</security-constraint>
- <login-config>
<auth-method>FORM</auth-method>
<realm-name>JDBCRealm</realm-name>
- <form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
</web-app>
Thanks for your input,
Terry
Re: HOWTO remove username/password from logging to tomcat logs
Posted by "david.delbecq" <da...@oma.be>.
Are you sure this is your config?
Your mail:
"I am using .Form Based Authentication using Memory Realm via
tomcat-users.xml file"
Your web.xml:
"<login-config>
<auth-method>FORM</auth-method>
<realm-name>JDBCRealm</realm-name> "
also, might be good if you check / send the context.xml of your webapp.
This all looks to me like a request dump valve has been installed for
debugging purpose.
Greetings,
David Delbecq
Terry Orechia a écrit :
> How do I control the logging of username/password in tomcat logs when a user logs into the tomcat website. There are no logging statements in my servlet to print this data and there is no code to catch the login request . Each time a user logs into the website , the username and password are logged. I am running tomcat 4.1 on debian with Tomcat/Apache JK2 Connector and log4j. I am using .Form Based Authentication using Memory Realm via tomcat-users.xml file. I have also noticed that when I upload a file using multipart/form data on http Post request to servlet, the complete contents of the file gets logged in the tomcat logs in the same way. The log entry looks lilke a dump of the http data. I have been googling the Internet trying to solve this one and looking through the tomcat docs but cannot find any place where the logging level controls this data in http content from dumping to the tomcat logs. Any ideas would be appreciated.
>
>
>Here is the contents of the statement I am trying to remove in my catalina.log that appears when I login as username "demo" and password "dddd".
>---
>12 34 00 21 00 1f 6a 5f 75 73 65 72 6e 61 6d 65 | .4.!..j_username
>3d 64 65 6d 6f 26 6a 5f 70 61 73 73 77 6f 72 64 | =demo&j_password
>3d 64 64 64 64 | =dddd
>
>--
>
>Here is the server.xml for 4.1 Debian, vorlab is the context:
> <server port ="8005" shutdown="SHUTDOWN " debug="0"/>
> <!-- Uncomment these entries to enable JMX MBeans support -->
> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
> debug="0"/>
> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
> debug="0"/>
>
> <!-- Global JNDI resources -->
> <GlobalNamingResources>
>
> <!-- Test entry for demonstration purposes -->
> <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>
> <!-- Editable user database that can also be used by
> UserDatabaseRealm to authenticate users -->
> <Resource name="UserDatabase" auth="Container"
> type="org.apache.catalina.UserDatabase"
> description="User database that can be updated and saved">
> </Resource>
> <ResourceParams name="UserDatabase">
> <parameter>
> <name>factory</name>
> <value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
> </parameter>
> <parameter>
> <name>pathname</name>
> <value>conf/tomcat-users.xml</value>
> </parameter>
> </ResourceParams>
>
> </GlobalNamingResources>
>
> <!-- Define the Tomcat Stand-Alone Service -->
> <Service name="Tomcat-Standalone">
>
> <!-- A "Connector" represents an endpoint by which requests are received
> and responses are returned. Each Connector passes requests on to the
> associated "Container" (normally an Engine) for processing.
> -->
>
> <!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8180" minProcessors="5" maxProcessors="75"
> enableLookups="true" acceptCount="10" debug="0"
> connectionTimeout="20000" useURIValidationHack="false" />
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8080" minProcessors="5" maxProcessors="75"
> enableLookups="true" acceptCount="10" debug="0"
> connectionTimeout="20000" useURIValidationHack="false" />
>
> <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8009" minProcessors="5" maxProcessors="75"
> enableLookups="true" acceptCount="10" debug="0"
> connectionTimeout="20000" useURIValidationHack="false"
> protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
>
> <!-- An Engine represents the entry point (within Catalina) that processes
> every request. The Engine implementation for Tomcat stand alone
> analyzes the HTTP headers included with the request, and passes them
> on to the appropriate Host (virtual host). -->
>
> <!-- Define the top level container in our container hierarchy -->
> <Engine name="Standalone" defaultHost="localhost" debug="0">
>
> <!-- Global logger unless overridden at lower levels -->
> <Logger className="org.apache.catalina.logger.FileLogger"
> prefix="catalina_" suffix=".log" timestamp="true"/>
> <!-- Because this Realm is here, an instance will be shared globally -->
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> debug="0" resourceName="UserDatabase"/>
> <!-- Define the default virtual host -->
> <Host name="localhost" debug="0" appBase="webapps"
> unpackWARs="true" autoDeploy="true">
>
> <!-- Logger shared by all Contexts related to this virtual host. -->
> <Logger className="org.apache.catalina.logger.FileLogger"
> directory="logs" prefix="localhost_" suffix=".log"
> timestamp="true"/>
>
> <!-- Allow symlinks for the tomcat-docs webapp. This is required in
> the Debian packages to make the Servlet/JSP API docs work. -->
> <Context path="/tomcat-docs" docBase="tomcat-docs" debug="0">
> <Resources className="org.apache.naming.resources.FileDirContext"
> allowLinking="true" />
> </Context>
> <Context path="" docBase="ROOT" debug="0">
> <Resources className="org.apache.naming.resources.FileDirContext"
> allowLinking="true" />
> </Context>
><Context className="org.apache.catalina.core.StandardContext" allowLinking="true" backgroundProcessorDelay="-1" cachingAllowed="true" charsetMapperClass="org.apache.catalina.util.CharsetMapper" cookies="true" crossContext="false" debug="0" docBase="/projects/vorl" domain="Catalina" engineName="Catalina" j2EEApplication="none" j2EEServer="none" lazy="true" managerChecksFrequency="6" path="/vorlab" privileged="false" reloadable="false" startupTime="0" swallowOutput="false" tldScanTime="0" useNaming="true" wrapperClass="org.apache.catalina.core.StandardWrapper">
><Resources className="org.apache.naming.resources.FileDirContext" allowLinking="true"/>
><Resource name="jdbc/MYSQLDB"
> auth="Container"
> type="javax.sql.DataSource"/>
> <ResourceParams name="jdbc/MYSQLDB">
> <parameter>
> <name>factory</name>
> <value>org.apache.commons.dbcp.BasicDataSourceFactory</value>
> </parameter>
> <!-- Class name for mm.mysql JDBC driver -->
> <parameter>
> <name>driverClassName</name>
> <value>com.mysql.jdbc.Driver</value>
> </parameter>
> <parameter>
> <name>url</name>
> <value>jdbc:mysql://localhost/vorlab?autoReconnect=true&zeroDateTimeBehavior=convertToNull&jdbcCompliantTruncation=false</value>
> </parameter>
> </ResourceParams></Context>
> </Host>
> </Engine>
> </Service>
></Server>
>
>Here is the relevant web.xml:
>
> <?xml version="1.0" encoding="ISO-8859-1" ?>
>- <web-app>
> <display-name>VORLAB</display-name>
> <description>WebSite</description>
>- <resource-ref>
> <description>DB Connection</description>
> <res-ref-name>jdbc/MYSQLDB</res-ref-name>
> <res-type>javax.sql.DataSource</res-type>
> <res-auth>Container</res-auth>
> </resource-ref>
>- <servlet>
> <servlet-name>dblist</servlet-name>
> <display-name>The work-horse servlet</display-name>
> <description>The work-horse servlet</description>
> <servlet-class>biotree.http.HttpList</servlet-class>
>- <init-param>
> <param-name>propFile</param-name>
> <param-value>access.properties</param-value>
> </init-param>
> </servlet>
> <servlet-name>logconfig</servlet-name>
> <display-name>The logging servlet</display-name>
> <description>The logging servlet</description>
> <servlet-class>LogServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> </servlet>
>- <servlet-mapping>
> <servlet-name>dblist</servlet-name>
> <url-pattern>/dblist</url-pattern>
> </servlet-mapping>
>- <servlet-name>logconfig</servlet-name>
> <url-pattern>/logconfig</url-pattern>
> </servlet-mapping>
>- <security-constraint>
>- <web-resource-collection>
> <web-resource-name>test</web-resource-name>
> <url-pattern>*</url-pattern>
> </web-resource-collection>
>- <auth-constraint>
> <role-name>provider</role-name>
> </auth-constraint>
> </security-constraint>
>- <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>JDBCRealm</realm-name>
>- <form-login-config>
> <form-login-page>/login.html</form-login-page>
> <form-error-page>/error.html</form-error-page>
> </form-login-config>
> </login-config>
> </web-app>
>
>
>Thanks for your input,
>Terry
>
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HOWTO remove username/password from logging to tomcat logs
Posted by Terry Orechia <To...@comcast.net>.
Do you know what version of tomcat this was fixed in?
Thanks,
----- Original Message -----
From: "Filip Hanik - Dev Lists" <de...@hanik.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Friday, May 26, 2006 10:12 PM
Subject: Re: HOWTO remove username/password from logging to tomcat logs
this is JK/AJP connector, and it sucks, cause you can't remove it. later
versions of tomcat its only logging this under debug.
Filip
Terry Orechia wrote:
> How do I control the logging of username/password in tomcat logs when a
> user logs into the tomcat website. There are no logging statements in my
> servlet to print this data and there is no code to catch the login
> request . Each time a user logs into the website , the username and
> password are logged. I am running tomcat 4.1 on debian with
> Tomcat/Apache JK2 Connector and log4j. I am using .Form Based
> Authentication using Memory Realm via tomcat-users.xml file. I have also
> noticed that when I upload a file using multipart/form data on http Post
> request to servlet, the complete contents of the file gets logged in the
> tomcat logs in the same way. The log entry looks lilke a dump of the
> http data. I have been googling the Internet trying to solve this one
> and looking through the tomcat docs but cannot find any place where the
> logging level controls this data in http content from dumping to the
> tomcat logs. Any ideas would be appreciated.
>
>
> Here is the contents of the statement I am trying to remove in my
> catalina.log that appears when I login as username "demo" and password
> "dddd".
> ---
> 12 34 00 21 00 1f 6a 5f 75 73 65 72 6e 61 6d 65 | .4.!..j_username
> 3d 64 65 6d 6f 26 6a 5f 70 61 73 73 77 6f 72 64 | =demo&j_password
> 3d 64 64 64 64 | =dddd
>
> --
>
> Here is the server.xml for 4.1 Debian, vorlab is the context:
> <server port ="8005" shutdown="SHUTDOWN " debug="0"/> <!-- Uncomment
> these entries to enable JMX MBeans support -->
> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
> debug="0"/>
> <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
> debug="0"/>
>
> <!-- Global JNDI resources -->
> <GlobalNamingResources>
>
> <!-- Test entry for demonstration purposes -->
> <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>
> <!-- Editable user database that can also be used by
> UserDatabaseRealm to authenticate users -->
> <Resource name="UserDatabase" auth="Container"
> type="org.apache.catalina.UserDatabase"
> description="User database that can be updated and saved">
> </Resource>
> <ResourceParams name="UserDatabase">
> <parameter>
> <name>factory</name>
> <value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
> </parameter>
> <parameter>
> <name>pathname</name>
> <value>conf/tomcat-users.xml</value>
> </parameter>
> </ResourceParams>
>
> </GlobalNamingResources>
>
> <!-- Define the Tomcat Stand-Alone Service -->
> <Service name="Tomcat-Standalone">
>
> <!-- A "Connector" represents an endpoint by which requests are
> received
> and responses are returned. Each Connector passes requests on to
> the
> associated "Container" (normally an Engine) for processing.
> -->
>
> <!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8180" minProcessors="5" maxProcessors="75"
> enableLookups="true" acceptCount="10" debug="0"
> connectionTimeout="20000" useURIValidationHack="false" />
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8080" minProcessors="5" maxProcessors="75"
> enableLookups="true" acceptCount="10" debug="0"
> connectionTimeout="20000" useURIValidationHack="false" />
>
> <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8009" minProcessors="5" maxProcessors="75"
> enableLookups="true" acceptCount="10" debug="0"
> connectionTimeout="20000" useURIValidationHack="false"
>
> protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
>
> <!-- An Engine represents the entry point (within Catalina) that
> processes
> every request. The Engine implementation for Tomcat stand alone
> analyzes the HTTP headers included with the request, and passes
> them
> on to the appropriate Host (virtual host). -->
>
> <!-- Define the top level container in our container hierarchy -->
> <Engine name="Standalone" defaultHost="localhost" debug="0">
>
> <!-- Global logger unless overridden at lower levels -->
> <Logger className="org.apache.catalina.logger.FileLogger"
> prefix="catalina_" suffix=".log" timestamp="true"/>
> <!-- Because this Realm is here, an instance will be shared
> globally -->
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> debug="0" resourceName="UserDatabase"/>
> <!-- Define the default virtual host -->
> <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true"
> autoDeploy="true">
>
> <!-- Logger shared by all Contexts related to this virtual
> host. -->
> <Logger className="org.apache.catalina.logger.FileLogger"
> directory="logs" prefix="localhost_" suffix=".log"
> timestamp="true"/>
>
> <!-- Allow symlinks for the tomcat-docs webapp. This is required
> in
> the Debian packages to make the Servlet/JSP API docs work. -->
> <Context path="/tomcat-docs" docBase="tomcat-docs" debug="0">
> <Resources
> className="org.apache.naming.resources.FileDirContext"
> allowLinking="true" />
> </Context>
> <Context path="" docBase="ROOT" debug="0">
> <Resources
> className="org.apache.naming.resources.FileDirContext"
> allowLinking="true" />
> </Context>
> <Context className="org.apache.catalina.core.StandardContext"
> allowLinking="true" backgroundProcessorDelay="-1" cachingAllowed="true"
> charsetMapperClass="org.apache.catalina.util.CharsetMapper"
> cookies="true" crossContext="false" debug="0" docBase="/projects/vorl"
> domain="Catalina" engineName="Catalina" j2EEApplication="none"
> j2EEServer="none" lazy="true" managerChecksFrequency="6" path="/vorlab"
> privileged="false" reloadable="false" startupTime="0"
> swallowOutput="false" tldScanTime="0" useNaming="true"
> wrapperClass="org.apache.catalina.core.StandardWrapper">
> <Resources className="org.apache.naming.resources.FileDirContext"
> allowLinking="true"/>
> <Resource name="jdbc/MYSQLDB"
> auth="Container"
> type="javax.sql.DataSource"/>
> <ResourceParams name="jdbc/MYSQLDB">
> <parameter>
> <name>factory</name>
> <value>org.apache.commons.dbcp.BasicDataSourceFactory</value>
> </parameter>
> <!-- Class name for mm.mysql JDBC driver -->
> <parameter>
> <name>driverClassName</name>
> <value>com.mysql.jdbc.Driver</value>
> </parameter>
> <parameter>
> <name>url</name>
>
> <value>jdbc:mysql://localhost/vorlab?autoReconnect=true&zeroDateTimeBehavior=convertToNull&jdbcCompliantTruncation=false</value>
> </parameter>
> </ResourceParams></Context>
> </Host>
> </Engine>
> </Service>
> </Server>
>
> Here is the relevant web.xml:
>
> <?xml version="1.0" encoding="ISO-8859-1" ?> - <web-app>
> <display-name>VORLAB</display-name> <description>WebSite</description> -
> <resource-ref>
> <description>DB Connection</description>
> <res-ref-name>jdbc/MYSQLDB</res-ref-name>
> <res-type>javax.sql.DataSource</res-type> <res-auth>Container</res-auth>
> </resource-ref>
> - <servlet>
> <servlet-name>dblist</servlet-name> <display-name>The work-horse
> servlet</display-name> <description>The work-horse servlet</description>
> <servlet-class>biotree.http.HttpList</servlet-class> - <init-param>
> <param-name>propFile</param-name>
> <param-value>access.properties</param-value> </init-param>
> </servlet>
> <servlet-name>logconfig</servlet-name> <display-name>The logging
> servlet</display-name> <description>The logging servlet</description>
> <servlet-class>LogServlet</servlet-class>
> <load-on-startup>1</load-on-startup> </servlet>
> - <servlet-mapping>
> <servlet-name>dblist</servlet-name> <url-pattern>/dblist</url-pattern>
> </servlet-mapping>
> - <servlet-name>logconfig</servlet-name>
> <url-pattern>/logconfig</url-pattern> </servlet-mapping>
> - <security-constraint>
> - <web-resource-collection>
> <web-resource-name>test</web-resource-name> <url-pattern>*</url-pattern>
> </web-resource-collection>
> - <auth-constraint>
> <role-name>provider</role-name> </auth-constraint>
> </security-constraint>
> - <login-config>
> <auth-method>FORM</auth-method> <realm-name>JDBCRealm</realm-name> -
> <form-login-config>
> <form-login-page>/login.html</form-login-page>
> <form-error-page>/error.html</form-error-page> </form-login-config>
> </login-config>
> </web-app>
>
>
> Thanks for your input,
> Terry
>
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.394 / Virus Database: 268.7.1/347 - Release Date: 5/24/2006
>
--
Filip Hanik
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HOWTO remove username/password from logging to tomcat logs
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
this is JK/AJP connector, and it sucks, cause you can't remove it. later
versions of tomcat its only logging this under debug.
Filip
Terry Orechia wrote:
> How do I control the logging of username/password in tomcat logs when a user logs into the tomcat website. There are no logging statements in my servlet to print this data and there is no code to catch the login request . Each time a user logs into the website , the username and password are logged. I am running tomcat 4.1 on debian with Tomcat/Apache JK2 Connector and log4j. I am using .Form Based Authentication using Memory Realm via tomcat-users.xml file. I have also noticed that when I upload a file using multipart/form data on http Post request to servlet, the complete contents of the file gets logged in the tomcat logs in the same way. The log entry looks lilke a dump of the http data. I have been googling the Internet trying to solve this one and looking through the tomcat docs but cannot find any place where the logging level controls this data in http content from dumping to the tomcat logs. Any ideas would be appreciated.
>
>
> Here is the contents of the statement I am trying to remove in my catalina.log that appears when I login as username "demo" and password "dddd".
> ---
> 12 34 00 21 00 1f 6a 5f 75 73 65 72 6e 61 6d 65 | .4.!..j_username
> 3d 64 65 6d 6f 26 6a 5f 70 61 73 73 77 6f 72 64 | =demo&j_password
> 3d 64 64 64 64 | =dddd
>
> --
>
> Here is the server.xml for 4.1 Debian, vorlab is the context:
> <server port ="8005" shutdown="SHUTDOWN " debug="0"/>
> <!-- Uncomment these entries to enable JMX MBeans support -->
> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
> debug="0"/>
> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
> debug="0"/>
>
> <!-- Global JNDI resources -->
> <GlobalNamingResources>
>
> <!-- Test entry for demonstration purposes -->
> <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>
> <!-- Editable user database that can also be used by
> UserDatabaseRealm to authenticate users -->
> <Resource name="UserDatabase" auth="Container"
> type="org.apache.catalina.UserDatabase"
> description="User database that can be updated and saved">
> </Resource>
> <ResourceParams name="UserDatabase">
> <parameter>
> <name>factory</name>
> <value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
> </parameter>
> <parameter>
> <name>pathname</name>
> <value>conf/tomcat-users.xml</value>
> </parameter>
> </ResourceParams>
>
> </GlobalNamingResources>
>
> <!-- Define the Tomcat Stand-Alone Service -->
> <Service name="Tomcat-Standalone">
>
> <!-- A "Connector" represents an endpoint by which requests are received
> and responses are returned. Each Connector passes requests on to the
> associated "Container" (normally an Engine) for processing.
> -->
>
> <!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8180" minProcessors="5" maxProcessors="75"
> enableLookups="true" acceptCount="10" debug="0"
> connectionTimeout="20000" useURIValidationHack="false" />
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8080" minProcessors="5" maxProcessors="75"
> enableLookups="true" acceptCount="10" debug="0"
> connectionTimeout="20000" useURIValidationHack="false" />
>
> <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8009" minProcessors="5" maxProcessors="75"
> enableLookups="true" acceptCount="10" debug="0"
> connectionTimeout="20000" useURIValidationHack="false"
> protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
>
> <!-- An Engine represents the entry point (within Catalina) that processes
> every request. The Engine implementation for Tomcat stand alone
> analyzes the HTTP headers included with the request, and passes them
> on to the appropriate Host (virtual host). -->
>
> <!-- Define the top level container in our container hierarchy -->
> <Engine name="Standalone" defaultHost="localhost" debug="0">
>
> <!-- Global logger unless overridden at lower levels -->
> <Logger className="org.apache.catalina.logger.FileLogger"
> prefix="catalina_" suffix=".log" timestamp="true"/>
> <!-- Because this Realm is here, an instance will be shared globally -->
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> debug="0" resourceName="UserDatabase"/>
> <!-- Define the default virtual host -->
> <Host name="localhost" debug="0" appBase="webapps"
> unpackWARs="true" autoDeploy="true">
>
> <!-- Logger shared by all Contexts related to this virtual host. -->
> <Logger className="org.apache.catalina.logger.FileLogger"
> directory="logs" prefix="localhost_" suffix=".log"
> timestamp="true"/>
>
> <!-- Allow symlinks for the tomcat-docs webapp. This is required in
> the Debian packages to make the Servlet/JSP API docs work. -->
> <Context path="/tomcat-docs" docBase="tomcat-docs" debug="0">
> <Resources className="org.apache.naming.resources.FileDirContext"
> allowLinking="true" />
> </Context>
> <Context path="" docBase="ROOT" debug="0">
> <Resources className="org.apache.naming.resources.FileDirContext"
> allowLinking="true" />
> </Context>
> <Context className="org.apache.catalina.core.StandardContext" allowLinking="true" backgroundProcessorDelay="-1" cachingAllowed="true" charsetMapperClass="org.apache.catalina.util.CharsetMapper" cookies="true" crossContext="false" debug="0" docBase="/projects/vorl" domain="Catalina" engineName="Catalina" j2EEApplication="none" j2EEServer="none" lazy="true" managerChecksFrequency="6" path="/vorlab" privileged="false" reloadable="false" startupTime="0" swallowOutput="false" tldScanTime="0" useNaming="true" wrapperClass="org.apache.catalina.core.StandardWrapper">
> <Resources className="org.apache.naming.resources.FileDirContext" allowLinking="true"/>
> <Resource name="jdbc/MYSQLDB"
> auth="Container"
> type="javax.sql.DataSource"/>
> <ResourceParams name="jdbc/MYSQLDB">
> <parameter>
> <name>factory</name>
> <value>org.apache.commons.dbcp.BasicDataSourceFactory</value>
> </parameter>
> <!-- Class name for mm.mysql JDBC driver -->
> <parameter>
> <name>driverClassName</name>
> <value>com.mysql.jdbc.Driver</value>
> </parameter>
> <parameter>
> <name>url</name>
> <value>jdbc:mysql://localhost/vorlab?autoReconnect=true&zeroDateTimeBehavior=convertToNull&jdbcCompliantTruncation=false</value>
> </parameter>
> </ResourceParams></Context>
> </Host>
> </Engine>
> </Service>
> </Server>
>
> Here is the relevant web.xml:
>
> <?xml version="1.0" encoding="ISO-8859-1" ?>
> - <web-app>
> <display-name>VORLAB</display-name>
> <description>WebSite</description>
> - <resource-ref>
> <description>DB Connection</description>
> <res-ref-name>jdbc/MYSQLDB</res-ref-name>
> <res-type>javax.sql.DataSource</res-type>
> <res-auth>Container</res-auth>
> </resource-ref>
> - <servlet>
> <servlet-name>dblist</servlet-name>
> <display-name>The work-horse servlet</display-name>
> <description>The work-horse servlet</description>
> <servlet-class>biotree.http.HttpList</servlet-class>
> - <init-param>
> <param-name>propFile</param-name>
> <param-value>access.properties</param-value>
> </init-param>
> </servlet>
> <servlet-name>logconfig</servlet-name>
> <display-name>The logging servlet</display-name>
> <description>The logging servlet</description>
> <servlet-class>LogServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> </servlet>
> - <servlet-mapping>
> <servlet-name>dblist</servlet-name>
> <url-pattern>/dblist</url-pattern>
> </servlet-mapping>
> - <servlet-name>logconfig</servlet-name>
> <url-pattern>/logconfig</url-pattern>
> </servlet-mapping>
> - <security-constraint>
> - <web-resource-collection>
> <web-resource-name>test</web-resource-name>
> <url-pattern>*</url-pattern>
> </web-resource-collection>
> - <auth-constraint>
> <role-name>provider</role-name>
> </auth-constraint>
> </security-constraint>
> - <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>JDBCRealm</realm-name>
> - <form-login-config>
> <form-login-page>/login.html</form-login-page>
> <form-error-page>/error.html</form-error-page>
> </form-login-config>
> </login-config>
> </web-app>
>
>
> Thanks for your input,
> Terry
>
>
>
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.394 / Virus Database: 268.7.1/347 - Release Date: 5/24/2006
>
--
Filip Hanik
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org