[jira] [Commented] (DELTASPIKE-382) mask out passwords and other credentials

Fri, 14 Jun 2013 08:34:28 -0700 

    [ 
https://issues.apache.org/jira/browse/DELTASPIKE-382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13683445#comment-13683445
 ] 

Christian Kaltepoth commented on DELTASPIKE-382:
------------------------------------------------

I think we should support some way of preventing passwords to be logged. Of 
cause it would be great if everyone uses encryption, but that's not realistic. 
And even if you use encryption, you have to take special care to keep the key 
secret, which is difficult without something like a HSM. If the key isn't safe 
(like compiled into the source), even encrypted passwords are very insecure.

I like the idea of an SPI for that. 

Just one thought: What about an SPI that tells which config properties 
shouldn't be logged at all (instead of just masking them). This could be useful 
even in other situations. For example if people have MANY config entries and 
only want to log a subset of them.
                
> mask out passwords and other credentials
> ----------------------------------------
>
>                 Key: DELTASPIKE-382
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-382
>             Project: DeltaSpike
>          Issue Type: New Feature
>          Components: Configuration
>    Affects Versions: 0.4
>            Reporter: Mark Struberg
>            Assignee: Mark Struberg
>             Fix For: 0.5
>
>
> Our configuration mechanism currently logs all the configured values.
> This makes it hard to use it for passwords and stuff.
> I suggest we introduce some specific prefix property to configure configs 
> which contain sensitive information.
> For the key 'some.random.password' this could look like:
> deltaspike_config.mask.some.random.password=true
> In the log we would in this case just output the information whether and 
> where we did find some value, but not print the details for all configs which 
> start with all of the configured masks.
> I'm not yet sure though how to configure this best. Suggestions appreciated!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to