[jira] [Commented] (DELTASPIKE-382) mask out passwords and other credentials

Sun, 16 Jun 2013 04:21:36 -0700 

    [ 
https://issues.apache.org/jira/browse/DELTASPIKE-382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13684626#comment-13684626
 ] 

Mark Struberg commented on DELTASPIKE-382:
------------------------------------------

[~gpetracek]
> checking logs before exposing them is imo by no way optional
sorry that's crap. I'm not talking about _externally_ exposing them, but in a 
well setup scenario all Developers have access to the logs. This is one of the 
main parts all the DevOps movement is about: to care about all those logs 
TOGETHER with the operations team. Thus the developers must take care that 
sensitive info doesn't end up in the log at all.

I think the ConfigFilter would provide all this and even more functionality 
like on the fly decryption.

[~johndament]
Kind of, but instead I'd return the filtered Strings 

public interface ConfigFilter {
 String filterValue(String key, String value);
 String filterValueForLog(String key, String value);
}

plus provide a default impl wich does only return value for the first method 
and the logic Romain suggested in the ForLog method.
                
> mask out passwords and other credentials
> ----------------------------------------
>
>                 Key: DELTASPIKE-382
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-382
>             Project: DeltaSpike
>          Issue Type: New Feature
>          Components: Configuration
>    Affects Versions: 0.4
>            Reporter: Mark Struberg
>            Assignee: Mark Struberg
>             Fix For: 0.5
>
>
> Our configuration mechanism currently logs all the configured values.
> This makes it hard to use it for passwords and stuff.
> I suggest we introduce some specific prefix property to configure configs 
> which contain sensitive information.
> For the key 'some.random.password' this could look like:
> deltaspike_config.mask.some.random.password=true
> In the log we would in this case just output the information whether and 
> where we did find some value, but not print the details for all configs which 
> start with all of the configured masks.
> I'm not yet sure though how to configure this best. Suggestions appreciated!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to