I guess it would be much better to have a different log appender to log sensitive data. In that way you get more control. Whether to print the log or not - or even encrypt and print, logic will go into the appender itself...
Thanks & regards, -Prabath On Thu, Nov 26, 2015 at 9:53 PM, Jayanga Kaushalya <[email protected]> wrote: > Hi all, > > Currently IS supports to limit the debug logs that are printed according > to the sensitive data that contains in the log. There is a separate > properties file which contains the token type (or the information category) > and the printable or non printable status. In the default state, this file > will be not read and all sensitive data will be not printed to the logs. > There is a special system property which should be pass to read the file > and print logs accordingly. > > We are hoping to move this feature to the kernel as it is an important > feature for all of the products which prints sensitive information in logs. > > Currently in IS, we have a util method which we use to check before > printing each sensitive log. > > if (log.isDebugEnable() && IdentityUtil.isLogPrintable("TokenType")) { > log.debug("Sensitive data"); > } > > However we are considering following improvement when moving to the carbon > kernel. Which is to create a log appender which will read the log.debug > with a placeholder. > > if (log.isDebugEnable()) { > log.debug("Sensitive data ${TokenType}"); > } > > downside of this approach is string will be always created whether the log > is printable or not. > > What should be the better approach? Or is there any other better approach? > Please give your ideas. > > Thanks! > > *Jayanga Kaushalya* > Software Engineer > Mobile: +94777860160 > WSO2 Inc. | http://wso2.com > lean.enterprise.middleware > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://blog.facilelogin.com http://blog.api-security.org
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
