[cas-dev] logging passwords...
Scott Battaglia
scott_battaglia at rutgers.edu
Fri Jul 28 07:45:56 EDT 2006
There is a note in the log4j.properties file that states that if you set
Spring log settings to DEBUG then parameters will be logged.
http://developer.ja-sig.org/source/browse/jasig/cas3/webapp/WEB-INF/classes/log4j.properties?r=1.3
If AuthenticationViaForm also does that, then I'll add the same warning
message in the log file for that.
Velpi wrote:
>Hi
>
>AuthenticationViaFormAction is logging passwords when set to DEBUG. It does that
>because it outputs the request parameters.
>It's not really a problem, but it would be best to prevent this somehow in the
>future if possible. In my opinion password mining should not be made easy, even
>for admins...
>
>-- Velpi
>_______________________________________________
>cas-dev mailing list
>cas-dev at tp.its.yale.edu
>http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
More information about the cas-dev
mailing list