Currently any password passed in as part of the url (e.g. https://promuser:password@hostname:9090/) will be recorded in the logs. The logging should be changed to mask this password.