CA APM's Introscope WebView log file, IntroscopeWebView.log, shows the user password in plain text when the debug level is enabled in logback_wv.xml

<configuration debug="true" scan="true" scanPeriod="30 seconds" packagingData="false">
    <variable name="APM_LOG_LEVEL_WV" value="${APM_LOG_LEVEL_WV:-DEBUG}"/>

In IntroscopeWebView.log

 DEBUG 1148 --- [qtp809742251-47] org.eclipse.jetty.server.HttpInput : HttpInputOverHTTP@1401b133[c=33,q=1,[0]=EOF,s=STREAM] read 1 from Content@458fe53d{HeapByteBufferR@6982ce11[p=812,l=927,c=16384,r=115]={POST /Apm...username=<my username here>&j_password=<my current password here in plain text>...0HX-JEE0-0ATG-80VB-KM15>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00}}

CA APM 10.8 HF4

This is likely a regression in 10.8 HF4/SP1, when the log handling was switched from log4j to logback.

Before with log4j, Webview and Jetty log levels were set separately for their own modules, so setting DEBUG for webview did not affect Jetty logging.

Now with logback, the log level "APM_LOG_LEVEL_WV" is set for root, so it applies to all loggers unless excluded explicitly.

Engineering is working on 2 options to fix this issue:

1. Separate out Jetty loggers, same as before. You can still set DEBUG for Jetty loggers to see the payload.

2. Encrypt j_password in the payload.

Currently, the fix is in progress. Expected to be included in 10.8 CHF#8 & SAP 10.8.0.204 releases.

Configure the logging in these files: logback-em.xml, logback-wv.xml and logback-ws.xml.

Refer to:

Logging (Application Performance Management 10.8 SP1 Onwards)