Is there a way to configure Jboss/Tomcat to prevent j_password (JAAS) plain text content in log file?
(23:03:24,141 DEBUG [org.apache.tomcat.util.http.Parameters] (http-localhost-127.0.0.1-8080-3) Start processing with input [j_username=username&j_password=123easy]
It may seem a lot of concern, but even server admin shouldn't be able to access secret information just by changing a level log.
While I might concur that this is a bug in Tomcat, others might see it as a useful debug feature.
To avoid enabling this output, you should avoid enabling DEBUG for the root logger on a functional Server in all cases! Programmatically, this can be achieved tailoring this to your needs:
LogManager.getLogger("com.myCompanyHere").setLevel(DEBUG);
This enables DEBUG, but only on the classes under your control! In a properties or xml file the same can be accomplished by using your own appenders and setting the levels to avoid classes not under your control.
In JBoss EAP 6.4 you can set in urn:jboss:domain:logging:1.5 subsystem:
<logger category="org.apache.coyote.http11">
<level name="ERROR"/>
</logger>
