Hi!
I have a problem running an application on Jboss 4.0.5 and ajax4jsf enabled. When I log in this application, my password is shown in server.log when DEBUG is enabled, in a line like this:
2007-11-14 15:57:30,976 DEBUG [org.ajax4jsf.renderkit.AjaxContainerRenderer] Request parameters map {javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAN0AARfaWQzcHQACi9sb2dpbi5qc3A=, _idJsp0:_idcl=, _idJsp0:_idJsp8=PASSWORD, autoScroll=, _idJsp0:_idJsp11=Entrar, _idJsp0:_idJsp5=cyfs, _idJsp0_SUBMIT=1, _idJsp0:_link_hidden_=}
I have three environments in my organization (development, testing and prodution) and I can't control who can enable the Debug level and see the server.log files in each environment.
This parameter is acquired in a JSP code using h:inputSecret, like this:
<h:inputSecret value="#{autenticador.senha}" maxlength="8" size="10"/>
Is there a way to hide this information?
I think it is a security problem in org.ajax4jsf.renderkit.AjaxContainerRenderer. It is not necessary to show this information in the log file.
Thanks in advice,
Daniel
Can anyone help me with this problem?
Thanks!
Daniel