I think you've answered your own question. :-) Either don't log at DEBUG level (which isn't recommended anyway) or change the logging for those two items to something higher (i.e. WARN or ERROR). They're not actually logging passwords. Classes that they either extend or use log HttpServletRequest parameters at runtime (of which one happens to be a password).
On Mon, Sep 14, 2009 at 9:09 PM, tedzo <[email protected]> wrote: > Hello all, > It seems that the user typed password is logged by the following 2 classes > in debug mode- restlet.TicketResource and flow.AuthenticationViaFormAction. > Is there a way to turn off password logging in debug mode? Our app fails the > security group tests due to the passwords being visible in the logs.... > > Thanks for your time. > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
