logging-log4j-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "arjun Sirupa (asirupa)" <asir...@cisco.com>
Subject suppress beanutils logging for certain fields
Date Sat, 04 Apr 2015 04:58:40 GMT

Hello,

In our application, we are using log4j 1.2.17. We use Struts which internally uses beanutils
for Login bean. If log level is set to DEBUG for “org.apache.commons.beanutils” category
in log4j.xml, it prints password in clear text.

In below example, user’s username is “admin” and password is “password”.


DEBUG  [admin-http-pool1][] org.apache.commons.beanutils.ConvertUtils -::25E5ED4A07F594C9CBDC2C7915D657D2:::-
Convert string 'admin' to class 'java.lang.String'

DEBUG  [admin-http-pool1][] org.apache.commons.beanutils.ConvertUtils -::25E5ED4A07F594C9CBDC2C7915D657D2:::-
Convert string ‘password' to class 'java.lang.String'


The security team at our company reported this as a security vulnerability and want us to
fix immediately. Any ideas on how to suppress logging for particular fields ? Or Is there
any other alternative ?

Please share your input.

Thanks,
Arjun.


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message