Those log statements are logged by the MINA logging filter and there's not much we can do about that one (expect for not including in the default setup). We could roll our own logging filter that takes out the password. Please file a JIRA ticket and I'll take care of it.
/niklas On Thu, Mar 27, 2008 at 6:50 PM, Abramovich, Dan <[EMAIL PROTECTED]> wrote: > Hi, > > > > I'd like to make a suggestion that passwords not be logged in clear > text. For example: > > > > Thu Mar 27 2008 00:06:08,762 EDT INFO > org.apache.ftpserver.listener.mina.MinaFtpProtocolHandler - > [/10.6.20.226:63995] RECEIVED: PASS admin > > > > We find the protocol logging to be useful, but logging of passwords will > make security folks unhappy. Perhaps, it could just log ******* or > somesuch? > > > > If this is non-controversial I'll be happy to file a bug. > > > > (FYI, we're working on the 1.4 branch while the trunk is under > construction) > > > > Thanks, > > -Dan > >
