[cas-dev] CAS 3.0.6 Debug Log Level Shows Cleartext Passwords
Scott Battaglia
scott.battaglia at gmail.com
Tue Feb 20 13:24:25 EST 2007
Its not anything CAS related. Its request parameters being displayed by
Spring.
-Scott
On 2/20/07, Jason Shao <jayshao at rutgers.edu> wrote:
>
> Scott Battaglia wrote:
> > Marvin,
> >
> > We do include a statement about the passwords:
> > # WARNING: Setting the org.springframework logger to DEBUG displays
> debug information about
> > # the request parameter values being bound to the command objects. This
> could expose your
> >
> > # password in the log file. If you are sharing your log files, it is
> recommend you selectively
> > # apply DEBUG level logging on a an org.springframework.* package level
> (i.e. org.springframework.dao)
> >
> > Is this not sufficient?
> >
> Should maybe a password hash or something else be the default string
> representation of password fields? With maybe an explicit
> .getAsClearText() or some such method for if you do need to access the
> actual value? Or is that too high a burden for development and support?
>
> Jason
>
> --
>
> Jason Shao
> Application Developer, Architecture & Engineering Team
> Rutgers University - Enterprise Systems & Services
> v. 732-445-2869 | f. 732-445-5493 | jayshao at rutgers.edu
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070220/3878dfa8/attachment.html
More information about the cas-dev
mailing list