logging-log4j-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JOSE L MARTINEZ-AVIAL <jlm...@gmail.com>
Subject Re: suppress beanutils logging for certain fields
Date Sun, 05 Apr 2015 01:06:08 GMT
One alternative is to create a custom layout that actually takes care of
that. It would check the logger name, and if it is the class you want to
abstract, look for a specific pattern to get the password and replace it
with "hidden" or wathever you want to do. It would be something like this:

public class MaskInfoFilteringLayout extends PatternLayout {



[...]



                @Override

                public String format(LoggingEvent event) {

                                if
(filteredLogger.contains(event.getLoggerName())) {



                                                if (event.getMessage()
instanceof CharSequence) {

                                                                String
message = event.getRenderedMessage();

                                                                boolean
hasBeenMasked = false;

                                                                for
(Pattern pattern : myPatterns) {


Matcher matcher = pattern.matcher(message);


if (matcher.find()) {


matcher.reset();


StringBuffer sb = new StringBuffer();


while (matcher.find()) {


matcher.appendReplacement(sb, matcher.group(1) + "hidden" +
matcher.group(4));


}


matcher.appendTail(sb);


message = sb.toString();


hasBeenMasked = true;


}



                                                                }

                                                                if
(hasBeenMasked) {


@SuppressWarnings({ "ThrowableResultOfMethodCallIgnored" })


Throwable throwable = event.getThrowableInformation() != null ?
event.getThrowableInformation().getThrowable() : null;


event = new LoggingEvent(event.fqnOfCategoryClass, event.getLogger(),
event.timeStamp, event.getLevel(),


message, throwable);

                                                                }

                                                }

                                }



                                return super.format(event);



                }


}

Please bear in mind the impact in performance it would have.

2015-04-04 19:42 GMT-04:00 Ralph Goers <ralph.goers@dslextreme.com>:

> I can’t think of any way to do this in log4j 1.x. You could make a custom
> copy of commons beanutils and remove the log statement that is causing the
> problem. You could also open a Jira issue against commons beanutils and ask
> that this be fixed.
>
> Ralph
>
> > On Apr 3, 2015, at 9:58 PM, arjun Sirupa (asirupa) <asirupa@cisco.com>
> wrote:
> >
> >
> > Hello,
> >
> > In our application, we are using log4j 1.2.17. We use Struts which
> internally uses beanutils for Login bean. If log level is set to DEBUG for
> “org.apache.commons.beanutils” category in log4j.xml, it prints password in
> clear text.
> >
> > In below example, user’s username is “admin” and password is “password”.
> >
> >
> > DEBUG  [admin-http-pool1][] org.apache.commons.beanutils.ConvertUtils
> -::25E5ED4A07F594C9CBDC2C7915D657D2:::- Convert string 'admin' to class
> 'java.lang.String'
> >
> > DEBUG  [admin-http-pool1][] org.apache.commons.beanutils.ConvertUtils
> -::25E5ED4A07F594C9CBDC2C7915D657D2:::- Convert string ‘password' to class
> 'java.lang.String'
> >
> >
> > The security team at our company reported this as a security
> vulnerability and want us to fix immediately. Any ideas on how to suppress
> logging for particular fields ? Or Is there any other alternative ?
> >
> > Please share your input.
> >
> > Thanks,
> > Arjun.
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-user-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-user-help@logging.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message