Since CAS uses Log4J, you should configure a separate appender for DEBUG level information. It wouldn't hurt to set a threshold of INFO for all other appenders to prevent debug data being leaked into logs that need to be preserved.
Andrew Feller 12901 Jefferson Hwy #821 Baton Rouge, LA 70816 [email protected] (225) 802-6868 On Mon, Sep 14, 2009 at 8:24 PM, Scott Battaglia <[email protected]>wrote: > I think you've answered your own question. :-) Either don't log at DEBUG > level (which isn't recommended anyway) or change the logging for those two > items to something higher (i.e. WARN or ERROR). They're not actually > logging passwords. Classes that they either extend or use log > HttpServletRequest parameters at runtime (of which one happens to be a > password). > > > > > On Mon, Sep 14, 2009 at 9:09 PM, tedzo <[email protected]> wrote: > >> Hello all, >> It seems that the user typed password is logged by the following 2 classes >> in debug mode- restlet.TicketResource and flow.AuthenticationViaFormAction. >> Is there a way to turn off password logging in debug mode? Our app fails the >> security group tests due to the passwords being visible in the logs.... >> >> Thanks for your time. >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
