>
> How is Tomcat meant to determine that data in the URL is a password and
> needs to be filtered?
>
>> I imagine there are all sorts of places that (rightfully) have
>> policies against storing a clear text password anywhere.
>
> The only reason you are seeing the password in the access logs appe
Dan Armbrust wrote:
> Sounds like a good enhancement request to me. It's certainly
> reasonable that one should be able to ask Tomcat to never ever log a
> password in clear text. In fact, it seems like that should be the
> default setting.
How is Tomcat meant to determine that data in the URL i
Sounds like a good enhancement request to me. It's certainly
reasonable that one should be able to ask Tomcat to never ever log a
password in clear text. In fact, it seems like that should be the
default setting.
I imagine there are all sorts of places that (rightfully) have
policies against sto
> From: jithu mada [mailto:jithu.m...@gmail.com]
> Subject: Re: Avoiding username/password being logged into localhost
> access logs
>
> Its only accessible to few users.
>
> But the user wants the username and password to be obscured.
Then you'll need to extend the e
jithu mada wrote:
[...]
The only way I can see for the userid and password to be visible in an
access log, is if they are part of the URL (actually, of the query
string) and unencoded.
Which would mean that this is a form-based authentication, with either
no method attribute in the tag, or met
wrote:
> > From: Tom-cat [mailto:jithu.m...@gmail.com]
> > Subject: Avoiding username/password being logged into localhost access
> > logs
> >
> > We are using Tomcat 5.0.27.
>
> No longer supported.
>
> > It has become a security issue as anyone with an
&g
> From: Tom-cat [mailto:jithu.m...@gmail.com]
> Subject: Avoiding username/password being logged into localhost access
> logs
>
> We are using Tomcat 5.0.27.
No longer supported.
> It has become a security issue as anyone with an
> account to the system can browse throug
Any replies greatly appreciated.
--
View this message in context:
http://www.nabble.com/Avoiding-username-password-being-logged-into-localhost-access-logs-tp23176286p23176286.html
Sent from the Tomcat - User mailing list archive at Nabbl
