You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cocoon.apache.org by Timothy Larson <Td...@ci.canton.oh.us> on 2002/09/20 17:43:48 UTC

Re: how to prevent logging passwords in request and sessionparams?

Thank you both.
I now have the logs rotating, and think I understand
the log categories, but there is still one problem.

It would be helpfull if the request parameters and session attributes
were logged, but with certain ones not showing their values.

For example:
  SESSION ATTRIBUTES:
    PARAM: 'username' VALUE: 'tdlarson'
    PARAM: 'password' VALUE: '*****'

Ideally, I would want to be able to specify which sensitive parameters
and attributes to hide the values of, possibly using wildcards.
Any ideas how to do this?

Tim

>>> vadim.gritsenko@verizon.net 09/20/02 09:50AM >>>
Barbara Post wrote:

>second question : yes : see rotation tag in WEB-INF/logkit.xconf.
>

First question: use log categories. Change log level for category where 
username/pwd are logged.If this is sitemap component, you can even 
assign it separate log category.

Vadim


>Babs
>----- Original Message ----- 
>From: "Timothy Larson" <Td...@ci.canton.oh.us>
>To: <co...@xml.apache.org>
>Sent: Thursday, September 19, 2002 6:17 PM
>Subject: how to prevent logging passwords in request and sessionparams?
>
>
>How do you prevent logging of passwords held in request parameters
>and session attributes?  I do not want to turn off logging completely.
>
>By the way, is there any sort of automated log rotation for cocoon
>to prevent the logs getting too big?
>
>Tim
>  
>



---------------------------------------------------------------------
Please check that your question  has not already been answered in the
FAQ before posting.     <http://xml.apache.org/cocoon/faq/index.html>

To unsubscribe, e-mail:     <co...@xml.apache.org>
For additional commands, e-mail:   <co...@xml.apache.org>

Re: how to prevent logging passwords in request and sessionparams?

Posted by Marcus Crafter <cr...@fztig938.bank.dresdner.net>.
Hi Timothy,

On Fri, Sep 20, 2002 at 11:43:48AM -0400, Timothy Larson wrote:
> It would be helpfull if the request parameters and session attributes
> were logged, but with certain ones not showing their values.
> 
> For example:
>   SESSION ATTRIBUTES:
>     PARAM: 'username' VALUE: 'tdlarson'
>     PARAM: 'password' VALUE: '*****'
> 
> Ideally, I would want to be able to specify which sensitive parameters
> and attributes to hide the values of, possibly using wildcards.
> Any ideas how to do this?

	To do this you probably need to write your own logkit filter to
	check the LogEvent for these strings and modify them if needed:
	http://jakarta.apache.org/avalon/logkit/api/org/apache/log/filter/package-summary.html
		
	Cheers,
	
	Marcus

-- 
        .....
     ,,$$$$$$$$$,      Marcus Crafter
    ;$'      '$$$$:    Computer Systems Engineer
    $:         $$$$:   ManageSoft GmbH
     $       o_)$$$:   82-84 Mainzer Landstrasse
     ;$,    _/\ &&:'   60327 Frankfurt Germany
       '     /( &&&
           \_&&&&'
          &&&&.
    &&&&&&&:

---------------------------------------------------------------------
Please check that your question  has not already been answered in the
FAQ before posting.     <http://xml.apache.org/cocoon/faq/index.html>

To unsubscribe, e-mail:     <co...@xml.apache.org>
For additional commands, e-mail:   <co...@xml.apache.org>