What you describe is going a bit in opposite directions, enable trace logging to show everything and then have a policy to not show it.
If that situation is unavoidable somehow, I would do it right the first time and encrypt the soap body. My next choice would be to solve this at the logging level by using a custom logger that blacklists some sensitive data however the general consensus is white listing is less error prone. The axis2 code uses commons logging which means you can use just about anything for a custom logger. Hope that helps, Robert On Fri, Jun 21, 2019 at 2:06 AM pavan landge <pavanlandge...@gmail.com> wrote: > Hi Robert, > > But the question is, suppose some one did the log chaking with trace/debug > level intentionally.then do we have any preventive measure to avoid it? > > Or it is the issue with Third party Axis2 jar which is displaying the > password ? > > Best regards, > Pavan landge > > On Wed 19 Jun, 2019, 8:49 PM robertlazarski ., <robertlazar...@gmail.com> > wrote: > >> >> >> On Tue, Jun 18, 2019 at 9:28 PM pavan landge <pavanlandge...@gmail.com> >> wrote: >> >>> >>> >>> ---------- Forwarded message --------- >>> From: pavan landge <pavanlandge...@gmail.com> >>> Date: Thu 13 Jun, 2019, 3:30 PM >>> Subject: Axis2: Security Bug Severity 1 >>> To: <java-user-subscr...@axis.apache.org> >>> Cc: pavan landge <pavanlandge...@gmail.com> >>> >>> >>> Hi Team, >>> >>> I am using Axis2 jar for SAOP (Request/Response). In log4j (Logger) I >>> am enabling the logs to check the parameters passed with soap envelope is >>> correct or not. >>> I can see in the soap envelop the* PASSWORD *is getting displayed. >>> >>> >> From an Axis2 security perspective, the WEB-INF/classes/log4j.properties >> that is shipped defaults to INFO level, you won't see this unless you >> purposely change the level and also are not encrypting your own sensitive >> user data. >> >> We suggest not doing that. We can't prevent bad practices though should >> you chose to do so. >> >> If you really need to send the passwords etc unencrypted, you can always >> use RAMPART to encrypt the payload body and use a digital signature to >> verify the integrity. >> >> Regards, >> Robert >> >
