> All I am trying to point out is that you > should be aware that if you turn debug on, there is a chance that you > could leave user credential information laying around in log files and > that might be a less than ideal situation
This is a well-known issue. The log4j.properties file that ships with CAS is very clear that you should not put certain packages in DEBUG without understanding the consequences. I'm echoing relevant parts here for completeness: # WARNING: Setting the org.springframework logger to DEBUG displays debug information about # the request parameter values being bound to the command objects. This could expose your # password in the log file. If you are sharing your log files, it is recommend you selectively # apply DEBUG level logging on a an org.springframework.* package level (i.e. org.springframework.dao) log4j.logger.org.springframework=WARN #log4j.logger.org.springframework.web.servlet.i18n=DEBUG #log4j.logger.org.springframework.web.servlet.view=DEBUG #log4j.logger.org.quartz=DEBUG ... log4j.logger.org.jasig=INFO # WARNING: Setting the flow package to DEBUG will display # the parameters posted to the login servlet including # cleartext authentication credentials log4j.logger.org.jasig.cas.web.flow=INFO #log4j.logger.org.jasig.cas.authentication=DEBUG #log4j.logger.org.jasig.cas.web.flow.TicketGrantingTicketCheckAction=DEBUG #log4j.logger.org.jasig.cas.services.DefaultServiceRegistry=DEBUG #log4j.logger.org.jasig.cas.services=DEBUG I believe the warnings are pretty clear, and the latter covers the case you cited previously. M
signature.asc
Description: This is a digitally signed message part
