Password obfuscation

[Terry Mah <ta...@yahoo.com>]

Hello,
I do not have any experience in development within log4j, but I am wondering if you could point me in the right direction.  Currently we are using jetty and axis2 for our SOAP server.  

We have a need to NOT log any information if it is a password or account ID.  Since log4j is mostly used for SOAP requests all passwords and account ID's should follow a basic set of rules.  (i.e. contained within a SOAP envelope, XML, etc).

Is there a feasible solution where I code alter the log4j code such that I don't have to modify any other 3rd party app to achieve my goal?

Thanks for the assistance.

Terry



      

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org

Re: Password obfuscation

[Terry Mah <ta...@yahoo.com>]

Thanks Heri, I'll look into the Renderer.



----- Original Message ----
From: Bender Heri <hb...@ergonomics.ch>
To: Log4J Developers List <lo...@logging.apache.org>
Sent: Wed, May 19, 2010 2:07:15 AM
Subject: RE: Password obfuscation

If you have full rights about your logger configuration you can either write your own Renderer(s) which filters out the sensitive information within one log statement, or you apply a self written Filter in order to block the log statement entirely if it contains sensitive information.
Heri

> -----Original Message-----
> From: Terry Mah [mailto:tandtmah@yahoo.com]
> Sent: Tuesday, May 18, 2010 9:31 PM
> To: Nikolas Nikou; Log4J Developers List
> Subject: Re: Password obfuscation
> 
> Hello,
> Thanks for your suggestion.  I agree one way to encypt the fields is on the incoming request.  That
> way if we output the request to log, then fields would already be encrypted.  The issue is that the
> requests are coming from a third party and they have already stated that they do not want to encrypt
> the fields.  We are using SSL so their already is a level of encryption at the transport layer and
> they do not want to have to encrypt individual fields within the request.
> 
> Thanks,
> 
> Terry
> 
> 
> 
> 
> ----- Original Message ----
> From: Nikolas Nikou <ni...@telehorizon.com>
> To: Log4J Developers List <lo...@logging.apache.org>
> Sent: Tue, May 18, 2010 1:18:54 PM
> Subject: Re: Password obfuscation
> 
> Hi Terry,
> I don't know how your system works but here is an idea,
> why don't you encrypt sensitive information over the net?
> Nikolas
> 
> στις 18/5/2010 5:39 μμ, O/H Terry Mah έγραψε:
> > Hello,
> > I do not have any experience in development within log4j, but I am wondering if you could point me
> in the right direction.  Currently we are using jetty and axis2 for our SOAP server.
> >
> > We have a need to NOT log any information if it is a password or account ID.  Since log4j is mostly
> used for SOAP requests all passwords and account ID's should follow a basic set of rules.  (i.e.
> contained within a SOAP envelope, XML, etc).
> >
> > Is there a feasible solution where I code alter the log4j code such that I don't have to modify any
> other 3rd party app to achieve my goal?
> >
> > Thanks for the assistance.
> >
> > Terry
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> > For additional commands, e-mail: log4j-dev-help@logging.apache.org
> >
> >
> >
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-dev-help@logging.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org


      

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org

RE: Password obfuscation

[Bender Heri <hb...@ergonomics.ch>]

If you have full rights about your logger configuration you can either write your own Renderer(s) which filters out the sensitive information within one log statement, or you apply a self written Filter in order to block the log statement entirely if it contains sensitive information.
Heri

> -----Original Message-----
> From: Terry Mah [mailto:tandtmah@yahoo.com]
> Sent: Tuesday, May 18, 2010 9:31 PM
> To: Nikolas Nikou; Log4J Developers List
> Subject: Re: Password obfuscation
> 
> Hello,
> Thanks for your suggestion.  I agree one way to encypt the fields is on the incoming request.  That
> way if we output the request to log, then fields would already be encrypted.  The issue is that the
> requests are coming from a third party and they have already stated that they do not want to encrypt
> the fields.  We are using SSL so their already is a level of encryption at the transport layer and
> they do not want to have to encrypt individual fields within the request.
> 
> Thanks,
> 
> Terry
> 
> 
> 
> 
> ----- Original Message ----
> From: Nikolas Nikou <ni...@telehorizon.com>
> To: Log4J Developers List <lo...@logging.apache.org>
> Sent: Tue, May 18, 2010 1:18:54 PM
> Subject: Re: Password obfuscation
> 
> Hi Terry,
> I don't know how your system works but here is an idea,
> why don't you encrypt sensitive information over the net?
> Nikolas
> 
> στις 18/5/2010 5:39 μμ, O/H Terry Mah έγραψε:
> > Hello,
> > I do not have any experience in development within log4j, but I am wondering if you could point me
> in the right direction.  Currently we are using jetty and axis2 for our SOAP server.
> >
> > We have a need to NOT log any information if it is a password or account ID.  Since log4j is mostly
> used for SOAP requests all passwords and account ID's should follow a basic set of rules.  (i.e.
> contained within a SOAP envelope, XML, etc).
> >
> > Is there a feasible solution where I code alter the log4j code such that I don't have to modify any
> other 3rd party app to achieve my goal?
> >
> > Thanks for the assistance.
> >
> > Terry
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> > For additional commands, e-mail: log4j-dev-help@logging.apache.org
> >
> >
> >
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-dev-help@logging.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org

Re: Password obfuscation

[Terry Mah <ta...@yahoo.com>]

Hello,
Thanks for your suggestion.  I agree one way to encypt the fields is on the incoming request.  That way if we output the request to log, then fields would already be encrypted.  The issue is that the requests are coming from a third party and they have already stated that they do not want to encrypt the fields.  We are using SSL so their already is a level of encryption at the transport layer and they do not want to have to encrypt individual fields within the request.

Thanks,

Terry




----- Original Message ----
From: Nikolas Nikou <ni...@telehorizon.com>
To: Log4J Developers List <lo...@logging.apache.org>
Sent: Tue, May 18, 2010 1:18:54 PM
Subject: Re: Password obfuscation

Hi Terry,
I don't know how your system works but here is an idea,
why don't you encrypt sensitive information over the net?
Nikolas

στις 18/5/2010 5:39 μμ, O/H Terry Mah έγραψε:
> Hello,
> I do not have any experience in development within log4j, but I am wondering if you could point me in the right direction.  Currently we are using jetty and axis2 for our SOAP server.
>
> We have a need to NOT log any information if it is a password or account ID.  Since log4j is mostly used for SOAP requests all passwords and account ID's should follow a basic set of rules.  (i.e. contained within a SOAP envelope, XML, etc).
>
> Is there a feasible solution where I code alter the log4j code such that I don't have to modify any other 3rd party app to achieve my goal?
>
> Thanks for the assistance.
>
> Terry
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>
>
>    


      

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org