DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=33187>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=33187 ------- Additional Comments From [EMAIL PROTECTED] 2005-01-21 07:18 ------- I think it would be better simply to snip the offending logging lines entirely. If somebody needs to debug a LoginModule password issue, it could be done inside the LoginModule as a hack (since it's probably a custom code module anyway) instead of in the callback handler. A quick skim of the JDBC and JNDI realm implementations shows that those classes don't log passwords, so JAASRealm probably shouldn't either. Therefore, there is a second line---in the class constructor for JAASCallbackHandler---that should also be snipped: if (log.isDebugEnabled()) { log.debug(sm.getString("jaasCallback.digestpassword", password, this.password)); } As for the claim that "Tomcat's security record is impeccable" --- well, I don't know who wrote that text. It is a foolish thing to boast publicly, IMO. Tomcat's record is pretty good, just not impeccable. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
