"adrian(a)jboss.org" wrote : Why doesn't this solve the problem? | http://www.jboss.org/community/docs/DOC-9350 | http://www.jboss.org/community/docs/DOC-9703 | That solves the issue for JCA. But what if the user has not done the encryption and log is set to debug (community version). Logs are long lived beasts. I only have an issue with JBoss core infrastructure chewing out attribute values in debug mode when the values can be passwords. "adrian(a)jboss.org" wrote : | Even if you mask the password in the log, if it is an MBean attribute, it will | be visible via JMX (and the user has access). If we try to fix this. It will only get complicated. Visually, it would prohibit the update of the password. "adrian(a)jboss.org" wrote : | Additionally since we recommend changing the log level to INFO | for production anyway, none of this will appear in the log. I am not sure that everyone follows the recommendations. We are not trying to make passwords totally invisible. All we are trying to do is a trivial mask to passwords in the log (we may not get a 100% hit with the masking). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4181566#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...