Could also be because your javax.net.debug property is set to "all" or "ssl". Check that as well too.
On 8/31/05, Movva, Sudhir <[EMAIL PROTECTED]> wrote: > > Your logging is not configured properly. > Setup the log4j.properties and this should take care of that issue. > -Sudhir. > > -----Original Message----- > From: Evan Dillon [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 31, 2005 1:27 PM > To: tomcat-user@jakarta.apache.org > Subject: Plain text passwords printed to catalina.out > > Passwords submitted via password form fields over SSL are showing up in > plain text in my catalina.out. Is this something I should be concerned > about and, more importantly, something I can turn off? > > When any POST form is submitted (port 80 or 443,) The plain-text form > data is in my catalina.out. I see the following in catalina.out when a > login form is submitted via SSL(where XXXX... is the actual password) It > doesn't seem to happen while logging in to the tomcat-admin app over > localhost:8080, only with apps accessed over apache/mod_jk (actual hex > has been obfuscated) > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | .4.?.=app_id=6&u 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ser=USERNAME&pas 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | sword=XXXXXXXXXX 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 | XXXXX&submit=sub 6d 69 74 > > Catalina.out has the following permissions: > -rw------- 1 root root 902 Aug 31 09:04 catalina.out > > Thanks > > Evan > > > Tomcat 5.0.30 > Apache 1.3.33 > latest mod_jk > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >