You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org> on 2008/10/31 17:43:44 UTC
[jira] Commented: (TAP5-177) Method logging code should recognize
an @Password annotation and obscure the output written to the log
[ https://issues.apache.org/jira/browse/TAP5-177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12644342#action_12644342 ]
Howard M. Lewis Ship commented on TAP5-177:
-------------------------------------------
Maybe @Sensitive?
Also, it should check not just the parameter but the underlying type for the same annotation, so when you define a SocialSecurityNumber class or DecodedPassword class, you can put the annotation on the class and have it take effect universally.
> Method logging code should recognize an @Password annotation and obscure the output written to the log
> ------------------------------------------------------------------------------------------------------
>
> Key: TAP5-177
> URL: https://issues.apache.org/jira/browse/TAP5-177
> Project: Tapestry 5
> Issue Type: Improvement
> Affects Versions: 5.0.15
> Reporter: Howard M. Lewis Ship
> Priority: Minor
>
> Currently, log output may include plaintext passwords (or other secure data). I nice solution might be to mark parameters (or the method itself,i.e., the return value) as @Password (or something similar) to clue in the logging code that the parameter in question should be written out as a series of asterisks or otherwise obscured.
> @Secure is already taken; @SecureData, @NotForPryingEyes, @ObscureInOutput, something similar?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org