[cas-dev] CAS 3.0.6 Debug Log Level Shows Cleartext Passwords
Jason Shao
jayshao at rutgers.edu
Tue Feb 20 12:32:21 EST 2007
Scott Battaglia wrote:
> Marvin,
>
> We do include a statement about the passwords:
> # WARNING: Setting the org.springframework logger to DEBUG displays debug information about
> # the request parameter values being bound to the command objects. This could expose your
>
> # password in the log file. If you are sharing your log files, it is recommend you selectively
> # apply DEBUG level logging on a an org.springframework.* package level (i.e. org.springframework.dao)
>
> Is this not sufficient?
>
Should maybe a password hash or something else be the default string
representation of password fields? With maybe an explicit
.getAsClearText() or some such method for if you do need to access the
actual value? Or is that too high a burden for development and support?
Jason
--
Jason Shao
Application Developer, Architecture & Engineering Team
Rutgers University - Enterprise Systems & Services
v. 732-445-2869 | f. 732-445-5493 | jayshao at rutgers.edu
More information about the cas-dev
mailing list