3

I have a tomcat app on AWS Elastic beanstalk , As advised here I am using the Environment Properties to set the jdbc connection to database, this parameter includes the user and password for the database. The thing is, the tomcat logger is logging all parameters on its startup , It looks something like this 

INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -DJDBC_CONNECTION_STRING=jdbc:mysql:///localhost:3306/mydatabase?user=me&password=mypassword

I don't want this sensitive data to be on the instance logs. How can I tell Tomcat not to log the command line arguments? {or any other secure solution for the problem}

Update: So it seems like removing the line from Tomcats server.xml does the trick on my local tomcat (Thanks cyril)

But how do I set this up on Elastic Beanstalk? I tried to create a script in .ebextensions folder with variation on this but it did not work for me the arguments are still logged. But I am not sure I am using windows and not very familiar with linux scripting. Maybe someone can help me create that script correctly? how can I check if the script ran on the elastic beanstalk instance and if the server.xml changed?

Meltzer
  • 127
  • 2
  • 10
  • 2
    That is not a secure way to pass credentials to your app. Regardless of the log file anybody that is allowed to run ``ps aux`` on the machine can see them. – f1sh May 17 '17 at 11:59
  • @f1sh So why is that the recomended way by AWS? what is your suggestion? – Meltzer May 17 '17 at 12:19
  • 1
    I have no idea regarding AWS. The safe way is to store credentials in a config file and then let the application read the file. – f1sh May 17 '17 at 12:26
  • Can't anyone read the file just as well as running `ps aux`? – Meltzer May 17 '17 at 13:28
  • Not if You maintain the proper permission set (usually 600) and user/group assignment of the file – Meny Issakov Sep 16 '17 at 19:43
  • Have You looked into [this](https://stackoverflow.com/questions/11211007/how-do-you-pass-custom-environment-variable-on-amazon-elastic-beanstalk-aws-ebs) answer? – Meny Issakov Sep 16 '17 at 19:48
  • @MenyIssakov yes, this is already the way I use it. – Meltzer Oct 01 '17 at 10:18

1 Answers1

0

Another option that comes to mind is to run Elastic beanstalk with Java configuration and use a Spring Boot application (or other embedded Tomcat deployment), instead of using the Tomcat configuration and a war. This gives you full control of your app bootstrap.

Yoav Aharoni
  • 2,672
  • 13
  • 18