Overview

User authentication processes are logging credentials (password) in clear text. This data should not be records in the logs

An issue has been created.

Workaround

Until this issue is resolved, password data (and all data) will not be written to the logs if the debug level is set to 0 (zero).

Scope

There are a number of mechanisms that could cause password data to be written to a log file. This table lists all the known mechanisms that would need to be modified.

Name	Description	Used	Classes
Servlet Filter	The `ServletAuthFilter` collects HTTP Header data which might include user Password information	The HTTP Header is written to the log file when debugging is turned on	`ServletAuthFilter`
Id/Password Authenticator	The `ServletFilter` can (if configured) invoke an `Authenticator` that processes the user's Id and Password.	The user's password may be written to the log file if debugging is turned on	`Authenticator IdPassAuthenticator IdPassServiceAuthenticator IdPassSystemAuthenticator`

Servlet Filter

A prototype design encrypts values that have a name of password. The encrypted value would be shown in the logs, instead of the clear text value.

Id/Password Authenticator