Noel J. Bergman wrote:
>Paul,
>
>
>
>>Perhaps passwords should not be echoed to the log.
>>
>>
>
>LOL No kidding. :-) My initial thought was to alert *current* users of the
>potential problem, and advise them of steps they could take immediately.
>
>The code can be changed. As it stands, logging is at a point where it is
>just echoing back the command entered
>
> private boolean parseCommand(String commandRaw) {
> if (commandRaw == null) return false;
> getLogger().info("Command received: " + commandRaw);
> ...
>
>We haven't gotten to the code that does the parsing, so we don't yet know
>that the line IS a password.
>
Ahhh OK :-)
Well either way, the user community must believe that JAMES will never
journal/log passwords or they'll depart to other servers.
>
>I can move the log statement to after we parse out the verb. FWIW, I also
>believe that this should be DEBUG, not INFO.
>
>Anyone object to these changes?
>
There is some wisdom that user ids should not be logged on failure of
auth, as they might have been transposed with passwords by a hapless
user. Of course, if there are say 5 attempts with the same user id (and
failing) then it is evidence of hacking and thus should be logged.
-ph
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
