Unobfuscated TGT in logs

[František Řezáč]

I have already reported this in Gitter chat but I've got no response so I'm posting it here to be sure.

In Apereo CAS:

- It's possible to log URL as part of every message by including this to the log pattern: %X{requestUri}. See https://apereo.github.io/cas/5.3.x/installation/Logging.html

- The REST API contains TGT id as part of URL for requesting a service ticket: /cas/v1/tickets/{TGT id}. See https://apereo.github.io/cas/5.3.x/protocol/REST-Protocol.html

So as a sideeffect of calling REST API we get a lot of logs containing something that appears to me as some secret that should be obfuscated but it is not. I'm not involved directly in deployment of Apereo CAS and I don't have any experience with it so I may be wrong, but I see it in the logs and I wonder if it's OK.

František Řezáč