> > How is Tomcat meant to determine that data in the URL is a password and > needs to be filtered? > >> I imagine there are all sorts of places that (rightfully) have >> policies against storing a clear text password anywhere. > > The only reason you are seeing the password in the access logs appears > to be the fact that the application is including in the URL. No > authentication scheme provided by Tomcat does this. This is an > application issue (it should be using POST rather than GET) not a Tomcat > one. > > Mark
Ahh. I didn't read the first post very carefully. I thought there were using a built-in tomcat authorization scheme - and it was logging the usernames and passwords. But the original poster just has a really poor application design. I didn't think Tomcat would be logging passwords in clear text. Nevermind me :) Dan --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
