I can’t think of any way to do this in log4j 1.x. You could make a custom copy of commons beanutils and remove the log statement that is causing the problem. You could also open a Jira issue against commons beanutils and ask that this be fixed.
Ralph > On Apr 3, 2015, at 9:58 PM, arjun Sirupa (asirupa) <[email protected]> wrote: > > > Hello, > > In our application, we are using log4j 1.2.17. We use Struts which internally > uses beanutils for Login bean. If log level is set to DEBUG for > “org.apache.commons.beanutils” category in log4j.xml, it prints password in > clear text. > > In below example, user’s username is “admin” and password is “password”. > > > DEBUG [admin-http-pool1][] org.apache.commons.beanutils.ConvertUtils > -::25E5ED4A07F594C9CBDC2C7915D657D2:::- Convert string 'admin' to class > 'java.lang.String' > > DEBUG [admin-http-pool1][] org.apache.commons.beanutils.ConvertUtils > -::25E5ED4A07F594C9CBDC2C7915D657D2:::- Convert string ‘password' to class > 'java.lang.String' > > > The security team at our company reported this as a security vulnerability > and want us to fix immediately. Any ideas on how to suppress logging for > particular fields ? Or Is there any other alternative ? > > Please share your input. > > Thanks, > Arjun. > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
