how to configure jboss/tomcat to prevent j_password plain text content in log file

Question

Is there a way to configure Jboss/Tomcat to prevent j_password (JAAS) plain text content in log file?

(23:03:24,141 DEBUG [org.apache.tomcat.util.http.Parameters] (http-localhost-127.0.0.1-8080-3) Start processing with input [j_username=username&j_password=123easy]

It may seem a lot of concern, but even server admin shouldn't be able to access secret information just by changing a level log.

Answer 1

While I might concur that this is a bug in Tomcat, others might see it as a useful debug feature.

To avoid enabling this output, you should avoid enabling DEBUG for the root logger on a functional Server in all cases! Programmatically, this can be achieved tailoring this to your needs:

        LogManager.getLogger("com.myCompanyHere").setLevel(DEBUG);

This enables DEBUG, but only on the classes under your control! In a properties or xml file the same can be accomplished by using your own appenders and setting the levels to avoid classes not under your control.

Answer 2

In JBoss EAP 6.4 you can set in urn:jboss:domain:logging:1.5 subsystem:

<logger category="org.apache.coyote.http11"> <level name="ERROR"/> </logger>