Re: HOWTO remove username/password from logging to tomcat logs

[Terry Orechia]

Do you know what version of tomcat this was fixed in?
Thanks,
----- Original Message ----- 
From: "Filip Hanik - Dev Lists" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Friday, May 26, 2006 10:12 PM
Subject: Re: HOWTO remove username/password from logging to tomcat logs


this is JK/AJP connector, and it sucks, cause you can't remove it. later
versions of tomcat its only logging this under debug.


Filip

Terry Orechia wrote:
 How do I control the logging of username/password in tomcat logs when a 
user logs into the tomcat website. There are no logging statements  in  my 
servlet  to print this data and there is no code to catch the login 
request . Each time a user logs into the website , the username and 
password are logged.     I am running tomcat 4.1 on debian with 
Tomcat/Apache JK2 Connector and log4j.     I am using  .Form Based 
Authentication using Memory Realm via tomcat-users.xml file.   I have also 
noticed that when I upload a file  using multipart/form data on http Post 
request to servlet, the complete contents of the file gets logged in the 
tomcat logs in the same way.   The log entry looks lilke a dump of the 
http data.   I have been googling the Internet trying to solve this one 
and looking through the tomcat docs but cannot find any place where the 
logging level controls this data in http content from dumping to the 
tomcat logs.   Any ideas would be appreciated.


Here is the contents of the statement I am trying to remove in my 
catalina.log that appears when I login as username "demo" and password 
"dddd".
---
12 34 00 21 00 1f 6a 5f 75 73 65 72 6e 61 6d 65  | .4.!..j_username
3d 64 65 6d 6f 26 6a 5f 70 61 73 73 77 6f 72 64  | =demo&j_password
3d 64 64 64 64                                   | =dddd

--

Here is the server.xml for 4.1 Debian, vorlab is the context:
  <server port ="8005" shutdown="SHUTDOWN " debug="0"/> <!-- Uncomment 
these entries to enable JMX MBeans support -->
  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
            debug="0"/>
  <Listener 
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
            debug="0"/>

  <!-- Global JNDI resources -->
  <GlobalNamingResources>

    <!-- Test entry for demonstration purposes -->
    <Environment name="simpleValue" type="java.lang.Integer" value="30"/>

    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
       description="User database that can be updated and saved">
    </Resource>
    <ResourceParams name="UserDatabase">
      <parameter>
        <name>factory</name>
        <value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
      </parameter>
      <parameter>
        <name>pathname</name>
        <value>conf/tomcat-users.xml</value>
      </parameter>
    </ResourceParams>

  </GlobalNamingResources>

  <!-- Define the Tomcat Stand-Alone Service -->
  <Service name="Tomcat-Standalone">

    <!-- A "Connector" represents an endpoint by which requests are 
received
         and responses are returned.  Each Connector passes requests on to 
the
         associated "Container" (normally an Engine) for processing.
    -->

    <!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -->
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="8180" minProcessors="5" maxProcessors="75"
               enableLookups="true" acceptCount="10" debug="0"
               connectionTimeout="20000" useURIValidationHack="false" />
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="8080" minProcessors="5" maxProcessors="75"
               enableLookups="true" acceptCount="10" debug="0"
               connectionTimeout="20000" useURIValidationHack="false" />

    <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="8009" minProcessors="5" maxProcessors="75"
               enableLookups="true" acceptCount="10" debug="0"
               connectionTimeout="20000" useURIValidationHack="false"

protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>

    <!-- An Engine represents the entry point (within Catalina) that 
processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes 
them
         on to the appropriate Host (virtual host). -->

    <!-- Define the top level container in our container hierarchy -->
    <Engine name="Standalone" defaultHost="localhost" debug="0">

      <!-- Global logger unless overridden at lower levels -->
      <Logger className="org.apache.catalina.logger.FileLogger"
              prefix="catalina_" suffix=".log" timestamp="true"/>
      <!-- Because this Realm is here, an instance will be shared 
globally -->
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             debug="0" resourceName="UserDatabase"/>
      <!-- Define the default virtual host -->
      <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" 
autoDeploy="true">

        <!-- Logger shared by all Contexts related to this virtual 
host. -->
        <Logger className="org.apache.catalina.logger.FileLogger"
                directory="logs" prefix="localhost_" suffix=".log"
                timestamp="true"/>

        <!-- Allow symlinks for the tomcat-docs webapp. This is required 
in
      the Debian packages to make the Servlet/JSP API docs work. -->
         <Context path="/tomcat-docs" docBase="tomcat-docs" debug="0">
            <Resources 
className="org.apache.naming.resources.FileDirContext"
                       allowLinking="true" />
         </Context>
         <Context path="" docBase="ROOT" debug="0">
            <Resources 
className="org.apache.naming.resources.FileDirContext"
                       allowLinking="true" />
         </Context>
<Context className="org.apache.catalina.core.StandardContext" 
allowLinking="true" backgroundProcessorDelay="-1" cachingAllowed="true" 
charsetMapperClass="org.apache.catalina.util.CharsetMapper" 
cookies="true" crossContext="false" debug="0" docBase="/projects/vorl" 
domain="Catalina" engineName="Catalina" j2EEApplication="none" 
j2EEServer="none" lazy="true" managerChecksFrequency="6" path="/vorlab" 
privileged="false" reloadable="false" startupTime="0" 
swallowOutput="false" tldScanTime="0" useNaming="true" 
wrapperClass="org.apache.catalina.core.StandardWrapper">
<Resources className="org.apache.naming.resources.FileDirContext" 
allowLinking="true"/>
<Resource name="jdbc/MYSQLDB"
               auth="Container"
               type="javax.sql.DataSource"/>
  <ResourceParams name="jdbc/MYSQLDB">
    <parameter>
      <name>factory</name>
      <value>org.apache.commons.dbcp.BasicDataSourceFactory</value>
    </parameter>
    <!-- Class name for mm.mysql JDBC driver -->
    <parameter>
       <name>driverClassName</name>
       <value>com.mysql.jdbc.Driver</value>
    </parameter>
    <parameter>
      <name>url</name>

<value>jdbc:mysql://localhost/vorlab?autoReconnect=true&amp;zeroDateTimeBehavior=convertToNull&amp;jdbcCompliantTruncation=false</value>
    </parameter>
  </ResourceParams></Context>
      </Host>
    </Engine>
  </Service>
</Server>

Here is the relevant web.xml:

 <?xml version="1.0" encoding="ISO-8859-1" ?> - <web-app>
  <display-name>VORLAB</display-name> <description>WebSite</description> - 
<resource-ref>
  <description>DB Connection</description> 
<res-ref-name>jdbc/MYSQLDB</res-ref-name> 
<res-type>javax.sql.DataSource</res-type> <res-auth>Container</res-auth> 
</resource-ref>
- <servlet>
  <servlet-name>dblist</servlet-name> <display-name>The work-horse 
servlet</display-name> <description>The work-horse servlet</description> 
<servlet-class>biotree.http.HttpList</servlet-class> - <init-param>
  <param-name>propFile</param-name> 
<param-value>access.properties</param-value> </init-param>
  </servlet>
  <servlet-name>logconfig</servlet-name> <display-name>The logging 
servlet</display-name> <description>The logging servlet</description> 
<servlet-class>LogServlet</servlet-class> 
<load-on-startup>1</load-on-startup> </servlet>
- <servlet-mapping>
  <servlet-name>dblist</servlet-name> <url-pattern>/dblist</url-pattern> 
</servlet-mapping>
-   <servlet-name>logconfig</servlet-name> 
<url-pattern>/logconfig</url-pattern> </servlet-mapping>
-  <security-constraint>
- <web-resource-collection>
  <web-resource-name>test</web-resource-name> <url-pattern>*</url-pattern> 
</web-resource-collection>
- <auth-constraint>
  <role-name>provider</role-name> </auth-constraint>
  </security-constraint>
- <login-config>
  <auth-method>FORM</auth-method> <realm-name>JDBCRealm</realm-name> - 
<form-login-config>
  <form-login-page>/login.html</form-login-page> 
<form-error-page>/error.html</form-error-page> </form-login-config>
  </login-config>
  </web-app>


Thanks for your input,
Terry

  ------------------------------------------------------------------------

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.7.1/347 - Release Date: 5/24/2006



--


Filip Hanik


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]