How can I stop passwords appearing in log file


Please excuse my ignorance about openfire. I am not too familiar with it but I am helping administer a machine where someone has installed it. The trouble is that the info.log is becoming full of lines like:

2014.11.04 20:56:07 org.jivesoftware.openfire.auth.AuthFactory - AuthFactory authenticate:auser,password=hispassword

These credentials are shared across applications so it is deeply troubling to see openfire leaking all the user passwords into the logfile. I have had to temporarily shut the openfire server down while we try to resolve this and more credentials get compromised. Is there some way to disable the passwords being dumped to the logfile? Its a very bad practice.

Hoping for useful suggestions.




Which authprovider are you using with Openfire.


Thanks Daryl for asking the right question. I just checked and i see what was being run was a custom Authprovider and Authfactory. These dodgy log messages were coming from this custom code. I will now jump up and down on there heads :slight_smile:

This seems not in any way to be a vulnerability in openfire code.