0

I'm sending request using URIBuilder and I want to print the POST request by without or masking some of the parameters, code:

        uriBuilder.addParameter("p1", "v1");
        ....
        uriBuilder.addParameter("p10", "v10");
        HttpPost post = new HttpPost(uriBuilder.build());
        httpClient.execute(target, post);

I get NullPointerException when tried post.getEntity()

Using uriBuilder.getQueryParams() seems as not intuitive approach

        uriBuilder.getQueryParams().stream().forEach(p->
           logger.debug(p.getName()+"=" +p.getValue()+"&"));

What is the best way to print request in such case?

I want to mask some of the parameters (sensitive data)

Ori Marko
  • 56,308
  • 23
  • 131
  • 233
  • `POST request, code`? Do you mean response code? If you are just interested in seeing the raw request and response you might enable HttpClients logging via `` in your logback.xml (or similar logging configuration) – Roman Vottner Jan 17 '19 at 10:16
  • @RomanVottner I want to mask some of the parameters. Can you provide an answer? – Ori Marko Jan 17 '19 at 10:51
  • I don't see any problem with the QueryParams approach, you don't have an entity because you are not setting one, your request is just an uri with get parameters. If you want to use the getEntityMethod you need to set the query parameters via httpPost.setEntity(new UrlEncodedFormEntity(postParameters, "UTF-8")) see http://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/client/entity/UrlEncodedFormEntity.html but you will need to do the same with postParameter as you do with uriBuilder. – Andrés Alcarraz Jan 17 '19 at 11:13
  • Also notice that even through https the query parameters in the uri are visible to any attacker, so does not have much sense to mask it – Andrés Alcarraz Jan 17 '19 at 11:13
  • Logback allows to add conversion rules you can use to mask certain parts in the log. You basically need to create a [custom converter](https://github.com/RovoMe/camel-rest-dsl-with-spring-security/blob/master/src/main/java/at/rovo/awsxray/utils/MaskingConverter.java), [specify that converter](https://github.com/RovoMe/camel-rest-dsl-with-spring-security/blob/master/src/main/resources/logback.xml#L4) in your logback configuration and [use that rule within your log pattern](https://github.com/RovoMe/camel-rest-dsl-with-spring-security/blob/master/src/main/resources/logback.xml#L9) – Roman Vottner Jan 17 '19 at 11:20
  • @AndrésAlcarraz are you sure that query parameters in HTTPS are insecure? [This link](https://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl) states just the opposite – Roman Vottner Jan 17 '19 at 11:26
  • @RomanVottner please see the point 1 in this article http://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/ referenced by your link. The uri is stored in http server logs in plain text, so it depends on the server, of course they could be logged by the server application, but if you have a middleware apache for instance they could be logged in it. Regardless of the final server application. So using url is somehow less secure. That said you are right about a man in the middle attack. – Andrés Alcarraz Jan 17 '19 at 11:52
  • @AndrésAlcarraz I never claimed that providing sensitive data via query parameters is a good idea in general, though over the wire query parameters and headers are encrypted, making it really, really hard to read or alter such data at runtime. That a server having read the request (or a local cache on the sender side) and therefore present such values unencryptedly is not wonder actually, as they need to process the data. The important thing here is, that intermediary nodes do not see such parameters. The insecurity comes i.e by copy&pasting URIs containing sensitive data via insecure channels – Roman Vottner Jan 17 '19 at 12:01
  • @AndrésAlcarraz this is a third party I'm sending parameter as design – Ori Marko Jan 20 '19 at 06:58

0 Answers0