Related to https://bz.apache.org/bugzilla/show_bug.cgi?id=56401 When passwords or similar are part of the JVM command line, they end up in logs that might be shipped to locations where you don't want that information to end up in. At least well-known cases should be handled (-Djavax.net.ssl.trustStorePassword=...). Possible remedies: * Provide an option to not log command line args (but the other information). * Handle well-known cases via a blacklist of substrings / regex that prevent logging ("javax.net.ssl.trustStorePassword", or "password" and "secret" in general). Or course, removing the listener also works, but at the price of removing *all* of its logging.
1. The option already exists. Looking at the oldest version supported now (7.0.x), it is named "logArgs", in all newer versions as well. http://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html 2. Passing secrets via command line arguments is well-known bad idea / SNAFU, because they are visible to other local users that can run "ps" command or read "/proc/<pid>/cmdline". A better idea will be to put them into conf/catalina.properties Also see the FAQ https://wiki.apache.org/tomcat/FAQ/Password Note that system properties are not logged by default configuration of VersionLoggerListener (configured by the "logProps" attribute). 3. Command line arguments provide important information for troubleshooting. JVM options, memory size configuration, logging configuration. 4. Logs are well known to contain sensitive information (e.g. they may contain session ids) and shall be protected from world-wide access. I do not see what can be improved here. Closing as WONTFIX.
Sorry, should've thought of checking the docs before-hand. Thanks for the hints, those helped.