logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Terry Mah <tandt...@yahoo.com>
Subject Re: Password obfuscation
Date Wed, 19 May 2010 13:35:53 GMT
Thanks Heri, I'll look into the Renderer.



----- Original Message ----
From: Bender Heri <hbender@ergonomics.ch>
To: Log4J Developers List <log4j-dev@logging.apache.org>
Sent: Wed, May 19, 2010 2:07:15 AM
Subject: RE: Password obfuscation

If you have full rights about your logger configuration you can either write your own Renderer(s)
which filters out the sensitive information within one log statement, or you apply a self
written Filter in order to block the log statement entirely if it contains sensitive information.
Heri

> -----Original Message-----
> From: Terry Mah [mailto:tandtmah@yahoo.com]
> Sent: Tuesday, May 18, 2010 9:31 PM
> To: Nikolas Nikou; Log4J Developers List
> Subject: Re: Password obfuscation
> 
> Hello,
> Thanks for your suggestion.  I agree one way to encypt the fields is on the incoming
request.  That
> way if we output the request to log, then fields would already be encrypted.  The issue
is that the
> requests are coming from a third party and they have already stated that they do not
want to encrypt
> the fields.  We are using SSL so their already is a level of encryption at the transport
layer and
> they do not want to have to encrypt individual fields within the request.
> 
> Thanks,
> 
> Terry
> 
> 
> 
> 
> ----- Original Message ----
> From: Nikolas Nikou <nikoniko@telehorizon.com>
> To: Log4J Developers List <log4j-dev@logging.apache.org>
> Sent: Tue, May 18, 2010 1:18:54 PM
> Subject: Re: Password obfuscation
> 
> Hi Terry,
> I don't know how your system works but here is an idea,
> why don't you encrypt sensitive information over the net?
> Nikolas
> 
> στις 18/5/2010 5:39 μμ, O/H Terry Mah έγραψε:
> > Hello,
> > I do not have any experience in development within log4j, but I am wondering if
you could point me
> in the right direction.  Currently we are using jetty and axis2 for our SOAP server.
> >
> > We have a need to NOT log any information if it is a password or account ID.  Since
log4j is mostly
> used for SOAP requests all passwords and account ID's should follow a basic set of rules. 
(i.e.
> contained within a SOAP envelope, XML, etc).
> >
> > Is there a feasible solution where I code alter the log4j code such that I don't
have to modify any
> other 3rd party app to achieve my goal?
> >
> > Thanks for the assistance.
> >
> > Terry
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> > For additional commands, e-mail: log4j-dev-help@logging.apache.org
> >
> >
> >
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-dev-help@logging.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org


      

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org


Mime
View raw message