Dan Armbrust wrote: > Sounds like a good enhancement request to me. It's certainly > reasonable that one should be able to ask Tomcat to never ever log a > password in clear text. In fact, it seems like that should be the > default setting.
How is Tomcat meant to determine that data in the URL is a password and needs to be filtered? > I imagine there are all sorts of places that (rightfully) have > policies against storing a clear text password anywhere. The only reason you are seeing the password in the access logs appears to be the fact that the application is including in the URL. No authentication scheme provided by Tomcat does this. This is an application issue (it should be using POST rather than GET) not a Tomcat one. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
