Mask password using log component

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Mask password using log component

DariusX
I need to mask certain headers (e.g. Authorization header) at the Camel
Context level, so that even if a programmer logs "showAll", the header is
masked.

Reading the Camel docs, I thought I would implement LogListener or
ExchangeFormatter
But, looking at this thread, maybe I should extend the
DefaultMaskingFormatter

Any thoughts in the pros/cons of the three approaches ?
Reply | Threaded
Open this post in threaded view
|

Re: Mask password using log component

Balazs Szeti
I'm not sure how to use those formatters, but we used logback's "replace"
feature to make sure no credit card numbers are logged for example:
<encoder>
      <!-- Example with replacement for secret masking -->
      <pattern>%d{HH:mm:ss.SSS} [%16.16thread] %-5level %-30.30logger{30}
\(%X{camel.breadcrumbId}\) -
%replace(%m){'(secret:)[^\s]*','$1--'}%n%xEx</pattern>
</encoder>
Depending on the complexity of masking the regular expression may get
complicated.

This is a lower level solution as it makes sure that sensitive information
is masked even in logs dropped by java code.

On Thu, Jun 28, 2018 at 9:38 PM Darius Cooper <[hidden email]>
wrote:

> I need to mask certain headers (e.g. Authorization header) at the Camel
> Context level, so that even if a programmer logs "showAll", the header is
> masked.
>
> Reading the Camel docs, I thought I would implement LogListener or
> ExchangeFormatter
> But, looking at this thread, maybe I should extend the
> DefaultMaskingFormatter
>
> Any thoughts in the pros/cons of the three approaches ?
>
Reply | Threaded
Open this post in threaded view
|

Re: Mask password using log component

DariusX
Balazs, Thanks for the response. Good point about Camel not being the right
"level".

Camel's DefaultMaskingFormatter uses a set of Regex's to look for the
"secret key name" if it is formatted in three ways: key-value pair, json
name:value, of XML tag..
That's something just as easily put into Logback: either the pattern as you
have (or even as a filter if one has more complex things to do).

I think ExchangeFormatter cam be a useful alternative if there are some
well-known header/property values that should never be dumped out.

LogListener can be useful to enhance what Camel logs, since it has access
to the Exchange. But if one does masking there, it will end up being
regex/replacement, and then one might as well do that in Logback.



On Fri, Jun 29, 2018 at 2:44 PM Balazs Szeti <[hidden email]> wrote:

> I'm not sure how to use those formatters, but we used logback's "replace"
> feature to make sure no credit card numbers are logged for example:
> <encoder>
>       <!-- Example with replacement for secret masking -->
>       <pattern>%d{HH:mm:ss.SSS} [%16.16thread] %-5level %-30.30logger{30}
> \(%X{camel.breadcrumbId}\) -
> %replace(%m){'(secret:)[^\s]*','$1--'}%n%xEx</pattern>
> </encoder>
> Depending on the complexity of masking the regular expression may get
> complicated.
>
> This is a lower level solution as it makes sure that sensitive information
> is masked even in logs dropped by java code.
>
> On Thu, Jun 28, 2018 at 9:38 PM Darius Cooper <[hidden email]>
> wrote:
>
> > I need to mask certain headers (e.g. Authorization header) at the Camel
> > Context level, so that even if a programmer logs "showAll", the header is
> > masked.
> >
> > Reading the Camel docs, I thought I would implement LogListener or
> > ExchangeFormatter
> > But, looking at this thread, maybe I should extend the
> > DefaultMaskingFormatter
> >
> > Any thoughts in the pros/cons of the three approaches ?
> >
>