Fwd: username/password being logged in clear text

[jithu mada <ji...@gmail.com>]

---------- Forwarded message ----------
From: jithu mada <ji...@gmail.com>
Date: Wed, Apr 22, 2009 at 5:38 PM
Subject: username/password being logged in clear text
To: users@tomcat.apache.org


Hi,

We are using Tomcat 5.0.27. Whenever the user logs using GET or POST request
his/her username and password are being logged in clear text in the
localhost access logs. It has become a security issue as anyone with an
account to the system can browse through the logs and find out the username
and password of the users.

So I was going through the documentation to find if there is any attribute
which controls this behavior and we can prevent it from being printed in the
log file but I couldn't find one.

And I am using org.apache.catalina.logger.FileLogger as the Logger class.

I really appreciate if you can help me out here.

thanks
Jitender

Re: Fwd: username/password being logged in clear text

[Steven Yates <st...@springsource.com>]

Jithu, I would be inclined to confirm whether your deployment is 
utilising System.out, System.err or a logging api to print your incoming 
FORM request attributes?

RGS SY

Filip Hanik - Dev Lists wrote:
> Tomcat doesn't print any usernames passwords to any logfiles.
> So most likely, your application is what is causing it.
>
> Filip
>
> jithu mada wrote:
>   
>> ---------- Forwarded message ----------
>> From: jithu mada <ji...@gmail.com>
>> Date: Wed, Apr 22, 2009 at 5:38 PM
>> Subject: username/password being logged in clear text
>> To: users@tomcat.apache.org
>>
>>
>> Hi,
>>
>> We are using Tomcat 5.0.27. Whenever the user logs using GET or POST request
>> his/her username and password are being logged in clear text in the
>> localhost access logs. It has become a security issue as anyone with an
>> account to the system can browse through the logs and find out the username
>> and password of the users.
>>
>> So I was going through the documentation to find if there is any attribute
>> which controls this behavior and we can prevent it from being printed in the
>> log file but I couldn't find one.
>>
>> And I am using org.apache.catalina.logger.FileLogger as the Logger class.
>>
>> I really appreciate if you can help me out here.
>>
>> thanks
>> Jitender
>>
>>   
>>     
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>   

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Fwd: username/password being logged in clear text

[Filip Hanik - Dev Lists <de...@hanik.com>]

Tomcat doesn't print any usernames passwords to any logfiles.
So most likely, your application is what is causing it.

Filip

jithu mada wrote:
> ---------- Forwarded message ----------
> From: jithu mada <ji...@gmail.com>
> Date: Wed, Apr 22, 2009 at 5:38 PM
> Subject: username/password being logged in clear text
> To: users@tomcat.apache.org
>
>
> Hi,
>
> We are using Tomcat 5.0.27. Whenever the user logs using GET or POST request
> his/her username and password are being logged in clear text in the
> localhost access logs. It has become a security issue as anyone with an
> account to the system can browse through the logs and find out the username
> and password of the users.
>
> So I was going through the documentation to find if there is any attribute
> which controls this behavior and we can prevent it from being printed in the
> log file but I couldn't find one.
>
> And I am using org.apache.catalina.logger.FileLogger as the Logger class.
>
> I really appreciate if you can help me out here.
>
> thanks
> Jitender
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org