3

I need several field in the logfile to be masked. Like the creditcard info or password. Do we have any direct way to do it ? Or any code piece we have to write in for log fields to mask those Credit card info so that those will be appreaed mask in log file. Example: CreditcardNo:411111111111 should apprear in log file as *********1111 password Password123 should apprear in log as ***********

I am using log4j to write the information to the log.

Shrikanth Hathwar
  • 1,140
  • 4
  • 14
  • 25
  • 1
    Please show some code of how you log that strings. The easiest way would just be to remove that information from the logging in the first place (and also probably exclude them from any toString method). – dunni May 06 '16 at 12:51
  • We are not logging these data. These data can come as a parameter to the End point which will be logged by the Log4J logger. – Shrikanth Hathwar May 06 '16 at 13:10
  • see http://stackoverflow.com/questions/2461726/how-to-mask-credit-card-numbers-in-log-files-with-log4j – Haim Raman May 08 '16 at 04:22

2 Answers2

5

You can mask sensitive data logged by Spring Boot by switching from log4j to Logback and configuring logging pattern.

  1. Use Logback. It's a default logging option of Spring Boot

  2. Define logging.pattern.file in your application.properties with a use of a Conversion word to replace each password occurrence with a mask:

  • e.g.logging.pattern.file=%d %replace(%m){"password='.*'", "password='xxx'"}
  • for the default Spring Boot logback file pattern] it would be: logging.pattern.file=%d{yyyy-MM-dd HH:mm:ss.SSS} ${LOG_LEVEL_PATTERN:-%5p} ${PID:- } --- [%t] %-40.40logger{39} : %replace(%m){"password='.*'", "password='xxx'"}%n${LOG_EXCEPTION_CONVERSION_WORD:%wEx}
Marcin Stepien
  • 119
  • 1
  • 4
0

For SOAP WebServices using spring-ws I used the lib: 

<groupId>com.github.spartatech</groupId>
<artifactId>spring-ws-utils</artifactId>

To use this you should configure an interceptor that will mask the fields. Thje masking is done using XSLT. The way it works is (This example is using spring XML coinfiguration, but you can configure using Java-Based configuration as well):

Configure a spring-ws interceptor:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:sws="http://www.springframework.org/schema/web-services" 
       xsi:schemaLocation="
                http://www.springframework.org/schema/web-services  http://www.springframework.org/schema/web-services/web-services-2.0.xsd  
    >
...

<sws:interceptors>
    <bean class="org.sparta.springwsutils.PayloadTransformedLoggingInterceptor">
        <property name="xslt" value="classpath:xslt/maskInput.xslt"/>
    </bean>
</sws:interceptors>

Then create the file: src/main/resources/xslt/maskInput.xslt This file will contain all XML transformations to mask your fields:

Example:

<xsl:stylesheet
     xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:typ="http://your/schema_name"
version="1.0">


<!-- copy all document -->
<xsl:template match="@*|node()">
    <xsl:copy>
        <xsl:apply-templates/>
    </xsl:copy>
</xsl:template>

<!-- mask cerditCard -->
<xsl:template match="typ:creditCard">
    <xsl:copy>
        <!-- Mask beginning of the Field -->
        <xsl:value-of select="substring('*****************************************', 1, string-length(.)-4)"/>
        <xsl:value-of select="substring(.,string-length(.)-3,string-length(.)+1)" />
    </xsl:copy>
</xsl:template>

Then in your log configuration file make sure you disable MessageTracing log and enable PayloadTransformedLoggingInterceptor logging. Example for logback:

    <logger name="org.springframework.ws.client.MessageTracing" level="ERROR"/>
    <logger name="org.sparta.springwsutils.PayloadTransformedLoggingInterceptor" level="INFO" />
Daniel Diehl
  • 732
  • 1
  • 9
  • 14