1) The debug should not turned up that high
2) If its a production box, file permissions as well as people able to log into the box should be trusted.
-Tim
Yann GUEVEL wrote:
Hi,
if the debug level is > 3, the org.apache.catalina.realm.JAASCallbackHandler.handle method writes in the log file the login and password it received (tomcat 4.1.29 JAASCallbackHandler.java, line 155). So any people who can access the machine on which Tomcat is running can see all the login and passwords used. Isn't this unsafe ? Should'nt this log be removed ?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
