Mark Struberg commented on DELTASPIKE-382:

parsing ALL log output in production is imo not a good idea. This is way too 
expensive and could seriously blast performance in many situations. For jenkins 
it doesn't harm anyone, but in a production environment this is a no-go from a 
performance pov.

ad #1: it's not a single DS method, it really affects the whole configuration 
ad #3: don't see it as a pure password issue, the solution with the SPI is much 
more flexible. As outlined above you could e.g. also use it for a decryption 
ad #4: yes, I'll hack it and maintain it.
> mask out passwords and other credentials in our Configuration logs
> ------------------------------------------------------------------
>                 Key: DELTASPIKE-382
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-382
>             Project: DeltaSpike
>          Issue Type: New Feature
>          Components: Configuration
>    Affects Versions: 0.4
>            Reporter: Mark Struberg
>            Assignee: Mark Struberg
>             Fix For: 0.5
> Our configuration mechanism currently logs all the configured values.
> This makes it hard to use it for passwords and stuff.
> I suggest we introduce some specific prefix property to configure configs 
> which contain sensitive information.
> For the key 'some.random.password' this could look like:
> deltaspike_config.mask.some.random.password=true
> In the log we would in this case just output the information whether and 
> where we did find some value, but not print the details for all configs which 
> start with all of the configured masks.
> I'm not yet sure though how to configure this best. Suggestions appreciated!

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to