2

I need to mask the password before it gets displayed in the log file.

the format of the password is "password":"pswd123". it's alphanumeric only. After masking, it'd be "password":"*"

in my custom Pattern class, I've the following reg expression but it's not being picked up. any idea how it should be? thx

@Override
public String format(LoggingEvent event) {

    String msg = super.format(event);

    // regexp not being picked up
    msg = msg.replace("\"password\":\"[^\"]*", "password:\"***\"");

    return msg;
}
S O
  • 221
  • 5
  • 12
  • 1
    Personally I think you're going about it all wrong. Don't mask it in the logging manager itself. Mask it before it gets into the logging manager. What are you doing with someone's actual password anyway? That's just dangerous! – corsiKa Dec 22 '11 at 16:48
  • Off-topic, but passwords consisting only in digits and letters are quite weak. Is there any particular reason you want to go that way? – Frédéric Hamidi Dec 22 '11 at 16:49
  • I would say, don't print the password at all. Why would you want to mask it? – adarshr Dec 22 '11 at 16:49
  • @FrédéricHamidi I'm sure that password was only an example. You expect someone to post their real passwords on here? – Nick Dec 22 '11 at 16:53

5 Answers5

4

String.replace() takes a CharSequence, not a regex. You're probably looking for replaceAll() or replaceFirst().

NPE
  • 486,780
  • 108
  • 951
  • 1,012
0

Use .replaceFirst(), .replace() only replaces substrings

fge
  • 119,121
  • 33
  • 254
  • 329
0
  1. replaceAll is what you're looking for
  2. If you want a full match, you are missing the last \" at the end of the regexp
ptyx
  • 4,074
  • 1
  • 19
  • 21
0

If you want it to just show 3 * that's easy, if you want it to show 1 * for each character in the password, that's a little harder.

Msg = Regex.Replace(Msg, "\"Password\":\"[^\"]+?\"", "\"Password\":\"***\"")
Nick
  • 4,556
  • 3
  • 29
  • 53
0

Are you making use of any logging library like log4j or slf4j? These libraries have features to "replace strings" using regular expressions. You can use and apply this globally by changing in logging configuration file. You would still need to come up with a regular expression for which use a regular expression builder utility such as http://myregexp.com/ and build a regular expression on your own.

Vineet Bhatia
  • 2,469
  • 4
  • 30
  • 28
  • yes, I'm using log4j and slf4j as the facade. I got the inspiration from this thread : http://stackoverflow.com/questions/2461726/how-to-mask-credit-card-numbers-in-log-files-with-log4j – S O Dec 22 '11 at 17:06
  • Looks like Logback has this feature http://logback.qos.ch/manual/layouts.html#replace Trying to find if log4j has this feature built-in. – Vineet Bhatia Dec 22 '11 at 17:11