apache httpclient logs passwords in cleartext when debug logging is turned on

Question

Apache httpclient seems to log passwords in cleartext when debug logging is turned on.

Is there a way to disable this? So that I can see the rest of the debug logging but not the credentials?

HttpClient logs everything passing over the network and through it. It does not know what is a password and what is not. — Lee Meador, Jul 30 '13 at 18:57

score 7 · Accepted Answer · edited May 23 '17 at 11:53

Create a SHA1 hash of the password in memory before you send it on the network.

MessageDigest md = MessageDigest.getInstance("SHA-1");
byte[] sha1hash = new byte[40];
md.update(text.getBytes("UTF-8"), 0, text.length()); // TODO verify the lengths are the same
sha1hash = md.digest();

http://www.mkyong.com/java/java-sha-hashing-example/

If you absolutely need cleartext passwords, you have several choices:

You can disable logging for the headers or set it to a level higher than debug: Disable HttpClient logging
You can dynamically disable the logging right before you send the password and then turn it back on again: Dynamically configuring Apache Http client
You can implement your own Logger handler/formatter or subclass one of the basic ones and search the output for your password and replace it with XXXXXXXXX. Then set the handler to your class: https://hc.apache.org/httpcomponents-client-ga/logging.html

What if the requested page requires the plain password? – Robin Krahl Nov 04 '13 at 23:00 — Robin Krahl, Nov 04 '13 at 23:00

score 0 · Answer 2 · answered Nov 08 '13 at 02:04

0

In log4j.properties set

log4j.logger.httpclient.wire.level=WARN

answered Nov 08 '13 at 02:04

Bizmarck

2,663
2
33
48

What if people want to debug? Should they never do it? – Ganesh Satpute Mar 30 '20 at 04:49

apache httpclient logs passwords in cleartext when debug logging is turned on

2 Answers2