Passwords submitted via password form fields over SSL are showing up in plain text in my catalina.out. Is this something I should be concerned about and, more importantly, something I can turn off?
When any POST form is submitted (port 80 or 443,) The plain-text form data is in my catalina.out. I see the following in catalina.out when a login form is submitted via SSL(where XXXX... is the actual password) It doesn't seem to happen while logging in to the tomcat-admin app over localhost:8080, only with apps accessed over apache/mod_jk (actual hex has been obfuscated) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | .4.?.=app_id=6&u 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ser=USERNAME&pas 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | sword=XXXXXXXXXX 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | XXXXX&submit=sub 6d 69 74 Catalina.out has the following permissions: -rw------- 1 root root 902 Aug 31 09:04 catalina.out Thanks Evan Tomcat 5.0.30 Apache 1.3.33 latest mod_jk