Passwords submitted via password form fields over SSL are showing up in
plain text in my catalina.out. Is this something I should be concerned
about and, more importantly, something I can turn off?

When any POST form is submitted (port 80 or 443,) The plain-text form
data is in my catalina.out. I see the following in catalina.out when a
login form is submitted via SSL(where XXXX... is the actual password) It
doesn't seem to happen while logging in to the tomcat-admin app over
localhost:8080, only with apps accessed over apache/mod_jk (actual hex
has been obfuscated)

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | .4.?.=app_id=6&u
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ser=USERNAME&pas
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | sword=XXXXXXXXXX
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | XXXXX&submit=sub
6d 69 74

Catalina.out has the following permissions:
-rw------- 1 root root 902 Aug 31 09:04 catalina.out

Thanks

Evan


Tomcat 5.0.30
Apache 1.3.33
latest mod_jk