In the log4j (at debug level) output I see the authorization header when the BasicProcessingFilter authentication filter is used:
Authorization header: Basic cGVhY2gucmVkLmludGVybmFsOmFsZ3Bhc3N3b3Jk
This information contains the username and password, simply obfuscated in base64; the username and password of any user can be discovered from the log4j logs. The proper behavior would be to remove the logging, or make it optional via an optional flag set on the BasicProcessingFilter. Right now it is not possible to change the behavior via configuration or sub-classing since it happens as part of doFilterHttp() which also implements the ore functionality.