0

We use spring boot with embedded tomcat. For some reasons, we have to use a DEBUG level for the tomcat. However, this makes tomcat will record user's password in plain text rather than *** or something else. For example:

2018-08-10 12:47:19.224 DEBUG 21128 --- [nio-8080-exec-2] o.a.coyote.http11.Http11InputBuffer      : Received [POST /security/public-rest-api/v1/access-token HTTP/1.1
cache-control: no-cache
Postman-Token: c9d78df1-ff23-46b6-a354-a829dbe440d3
Authorization: Basic Y2xvdWQtZGlzazo=
User-Agent: PostmanRuntime/7.1.1
Accept: */*
Host: localhost:8080
cookie: JSESSIONID=63024FEAB8E01024D0FBFBF89E89AB3C; 
JSESSIONID=D9BCEC160EAF9655E24E972FEE9C7FE1
accept-encoding: gzip, deflate
content-type: multipart/form-data; boundary=------------------------- 
-923834761753566047828684
content-length: 399
Connection: keep-alive

----------------------------923834761753566047828684
Content-Disposition: form-data; name="grant_type"

password
----------------------------923834761753566047828684
Content-Disposition: form-data; name="username"

user
----------------------------923834761753566047828684
Content-Disposition: form-data; name="password"

password
----------------------------923834761753566047828684--

So my question is how can I hide the plain text password?

Many thanks.

Lang
  • 943
  • 13
  • 33
  • Don't use DEBUG. Why on earth would you need debug to log your requests? Why do you need this? What is the purpose? – M. Deinum Aug 10 '18 at 11:39
  • @M. Deinum The system is under testing in customer's environment, so we must run it under DEBUG level which will help us for debugging. hibernate will use ** to replace the sensitive data, can tomcat does the same? – Lang Aug 10 '18 at 11:47
  • The only way I can think of to do this would be to implement your own log4j Layout that does pattern matching and then either masks or removes the portions that you don't want output. Something similar to this: https://stackoverflow.com/questions/2461726/how-to-mask-credit-card-numbers-in-log-files-with-log4j – David Wolff Aug 10 '18 at 14:36
  • Hi David, that's a nice try! thanks! – Lang Aug 10 '18 at 15:06
  • btw, I was wondering if my password would be recorded by the log system of some website... – Lang Aug 10 '18 at 15:07
  • It is not feasible to both record full request details *and* protect user privacy. Perhaps you should *disable logging for your authentication requests* instead of trying to figure out how to mask passwords. – Christopher Schultz Aug 10 '18 at 18:25

0 Answers0