#4 DEBUG logging shows user/passwd in stderr

closed
nobody
None
5
2005-03-25
2004-10-22
Anonymous
No

Hello I use c3p0 through the Hibernate 2.1.6 release
and I find it quite efficient. thanks for your work on it.

There is something that is still annoying me.

In PoolBackedDataSource.java the following code shows

if (Debug.DEBUG && Debug.TRACE > Debug.TRACE_NONE)
System.err.println("Initializing c3p0 pool... " +
this.toString());
}

But logs doesn't seems to work "log4j like" and I don't
know how to modify the properties Debug.DEBUG
at runtime to have it activated or not.
(I know there is a way at build time)

Even if it is in stderr.log, once debug is activated to
track an error, anyone can see the username and
password which can be considered as a problem in the
error file.
At least the password shouldn't be shown if it is not
wanted.

could you implement for the future a "toSecureString()"
method in PoolBackedDataSource.java that doesn't show
the password at this place?

best regards,

Gwendal TANGUY

gwendal.tanguy@swissquote.ch

Discussion

  • Steve Waldman
    Steve Waldman
    2004-12-01

    Logged In: YES
    user_id=175530

    Gwendal,

    Big apoligies. I didn't have this tracker properly set up to e-mail me, and
    had not traditionally used it. But users have been adding items for the
    last 8 months or so, and I haven't noticed.... Very poor service on my
    part. Sorry!

    Recent versions of c3p0 [0.8.5-preX] mask out the username and
    password on c3p0's configuration dump.

    More general logging issues are a big TODO. c3p0 will support a more
    log4j/jdk14/commons-logging approach in the next major release (after
    0.8.5 is final). Logging is the most common complaint I get with c3p0,
    and very justifiably so.

    Sorry once again for the very slow response. I should get notice now of
    support requests to this tracker, so hopefully it won't happen again.

    smiles,
    Steve

     
  • Steve Waldman
    Steve Waldman
    2005-03-25

    • status: open --> closed