logging-log4j-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ralph Goers <ralph.go...@dslextreme.com>
Subject Re: suppress beanutils logging for certain fields
Date Sat, 04 Apr 2015 23:42:25 GMT
I can’t think of any way to do this in log4j 1.x. You could make a custom copy of commons
beanutils and remove the log statement that is causing the problem. You could also open a
Jira issue against commons beanutils and ask that this be fixed.

Ralph

> On Apr 3, 2015, at 9:58 PM, arjun Sirupa (asirupa) <asirupa@cisco.com> wrote:
> 
> 
> Hello,
> 
> In our application, we are using log4j 1.2.17. We use Struts which internally uses beanutils
for Login bean. If log level is set to DEBUG for “org.apache.commons.beanutils” category
in log4j.xml, it prints password in clear text.
> 
> In below example, user’s username is “admin” and password is “password”.
> 
> 
> DEBUG  [admin-http-pool1][] org.apache.commons.beanutils.ConvertUtils -::25E5ED4A07F594C9CBDC2C7915D657D2:::-
Convert string 'admin' to class 'java.lang.String'
> 
> DEBUG  [admin-http-pool1][] org.apache.commons.beanutils.ConvertUtils -::25E5ED4A07F594C9CBDC2C7915D657D2:::-
Convert string ‘password' to class 'java.lang.String'
> 
> 
> The security team at our company reported this as a security vulnerability and want us
to fix immediately. Any ideas on how to suppress logging for particular fields ? Or Is there
any other alternative ?
> 
> Please share your input.
> 
> Thanks,
> Arjun.
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-user-help@logging.apache.org


Mime
View raw message