Comment 21 for bug 1098307

I suspect Adam means that the fix is correct, but does not fully address the class of issues you uncovered, in particular we are still logging the full URL which may be stuffed outside of the userId/username/tenantId/tenantname/token/password parameters.

Since the new size-limiting middleware would only go to Grizzly, if we are indeed logging the full URL somewhere it would probably be a good move to check the size of it in the security fix too (or log only the first n characters).