Hi Baron, Ray suggestion is good.
Another way might work is to add this logging property in your host: https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#logging In your case would be something like this: logging.level.org.apereo.cas.web.flow=INFO Which should be able to disable the Spring warning per host. Cheers! - Andy On Tuesday, 6 July 2021 at 02:02:10 UTC+8 Ray Bon wrote: > Baron, > > The order of the loggers does not matter, just specificity. You might want > to include additivity so nothing bubbles up to more general loggers. > > <AsyncLogger name="specific.reference.to.Class" level="trace" > additivity="false"> > <AppenderRef ref="sensitiveloggerfile" /> > </AsyncLogger> > > You will have to keep an eye on your log output to track sensitive > details. Perhaps a test user with a distinctive password that could be > searched with a cron script. Searching cas code base for 'password' may be > to general and would not catch printing of collections. > > Ray > > On Fri, 2021-07-02 at 16:41 -1000, Baron Fujimoto wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > When our CAS starts up, it warns: > WARN > [org.springframework.security.config.annotation.web.builders.WebSecurity] - > < > ******************************************************************** > ********** Security debugging is enabled. ************* > ********** This may include sensitive information. ************* > ********** Do not use in a production system! ************* > ******************************************************************** > > > > And I find log entries such as the following where the password is logged > in plaintext: > DEBUG > [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - > <Issuing ticket-granting tickets for service > [AbstractWebApplicationService(id=https://www.example.com/app, > originalUrl=https://www.example.com/app, artifactId=null, principal=null, > source=service, loggedOutAlready=false, format=XML, > attributes={execution=[...], password=[PASSWORD], _eventId=[submit], > username=[USERNAME], geolocation=[]})]> > > I assume this is the result of the following in log4j2.xml? > > <Property name="cas.log.level">debug</Property> > ... > <AsyncLogger name="org.apereo.cas.web.flow" > level="${sys:cas.log.level}" includeLocation="true"/> > > For hosts where we do want detailed debug-level logs (but do not want to > reveal passwords) can this be mitigated via a cas property to redact the > passwords? Or should it be handled via logging conf something like this? > > <Property name="cas.log.level">debug</Property> > <Property name="cas.log.level.sensitive">info</Property> > ... > <AsyncLogger > name="org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver" > level="${sys:cas.log.level.sensitive}" includeLocation="true"/> > <AsyncLogger name="org.apereo.cas.web.flow" > level="${sys:cas.log.level}" includeLocation="true"/> > > If this is the correct approach, is this sufficient to eliminate the log > entries containing plaintext passwords, or are there additional classes(?) > we need to worry about as well? Does the order of the AsyncLogger entries > matter? > > -- > Baron Fujimoto <[email protected]> :: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum desendus pantorum > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/73ad3efd-c7f4-4b36-b89f-94a4824e63a7n%40apereo.org.
