You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Yulius <ha...@yahoo.com> on 2007/06/20 12:06:45 UTC
Encrypt Tomcat 4.1 log and log4j.properties log with MD5
Hi,
I'm currently need to do the encryption towards the log files that has been created by the webserver and the webapplication, so that only those who has the password to decrypt the log files can read them.
Is there a way to solve this issue?
Thanks in advance
Yulius
---------------------------------
Park yourself in front of a world of choices in alternative vehicles.
Visit the Yahoo! Auto Green Center.
Re: Encrypt Tomcat 4.1 log and log4j.properties log with MD5
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
Ah, just clicked what you doing, sorry I'm slow today.... I think you using
logging as a reporting system in your apps. Interesting, question becomes
when does logging become private... personally I think the philosphy is
wrong, but ok, thats what you doing.
I would think about serving private data through a servlet, then you can
read it from your office, stick it behind a password, whatever, but ok.
Well I think you just need to look up Suns JCE libs and you want to use a
symmetrical alg, and convert the output to a string, so it just looks like a
gobly gook string to the logging engines... getting it back will require
some parsing.
Thats different.... good luck
----- Original Message -----
From: "Yulius" <ha...@yahoo.com>
To: <us...@tomcat.apache.org>
Sent: Wednesday, June 20, 2007 12:06 PM
Subject: Encrypt Tomcat 4.1 log and log4j.properties log with MD5
> Hi,
>
> I'm currently need to do the encryption towards the log files that has
> been created by the webserver and the webapplication, so that only those
> who has the password to decrypt the log files can read them.
>
> Is there a way to solve this issue?
>
> Thanks in advance
> Yulius
>
>
> ---------------------------------
> Park yourself in front of a world of choices in alternative vehicles.
> Visit the Yahoo! Auto Green Center.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Encrypt Tomcat 4.1 log and log4j.properties log with MD5
Posted by Tim Funk <fu...@joedog.org>.
md5 is a one way hash - so "encrypting" your log files with md5 will
yield unreadable files
Tomcat out of the box doesn't have anything like this. You would need to
do the following write your own log4j appenders (or whatever they are
called) which encrypt the data. Since log4j can (IIRC) can also capture
System.out - you could probably use the appender you write.
-Tim
Yulius wrote:
> Hi,
>
> I'm currently need to do the encryption towards the log files that has been created by the webserver and the webapplication, so that only those who has the password to decrypt the log files can read them.
>
> Is there a way to solve this issue?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Encrypt Tomcat 4.1 log and log4j.properties log with MD5
Posted by Mladen Turk <ml...@gmail.com>.
Yulius wrote:
> Hi,
>
> I'm currently need to do the encryption towards the log files that has been created by the webserver and the webapplication, so that only those who has the password to decrypt the log files can read them.
>
Huh, why would you need to encrypt those files? Isn't OS access level enough?
I would suggest you run Tomcat under the account T, and give the access to
log files only to the users/groups T, X, Y, Z ...
> Is there a way to solve this issue?
>
I suppose you could write your own logger (extending log4j)
with on-the-fly encryption, but IMHO this is complete waste of time.
Further more your readers would need decryption as well, and you would
need to create some sort of a database for username/password/key mappings,
because your security would be jeopardized pretty soon if you share a
common key.
BTW, MD5 is not encryption algorithm but rather hashing one.
Regards,
Mladen.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Encrypt Tomcat 4.1 log and log4j.properties log with MD5
Posted by Andrew Miehs <an...@2sheds.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 20/06/2007, at 12:53 PM, Johnny Kewl wrote:
> Why? No, do it some other way, I think this will get horribly complex.
> On windows I think near impossible, short of placing a symmetrical
> alg in the source.
>
> What about normal protection, in essence the server starts up as a
> user, and only that user has access to the log folder, naturally
> admin can still get in.
>
> Why do this? Hiding stuff from admin? What is there to hide?
Sounds like someone is storing Credit Card details on their web
servers ....
This sounds like a public/ private key solution is necessary - where
only people with the private key can decrypt the files,
but the server can still encrypt them with only the public key...
Cheers
Andrew
> I think turning logging off is possible, when playing with the
> properties, I've managed to do that by accident a few times.
>
> Think you need to explain more, maybe can find another way.... I
> dont think this is an option.
>
>
> ----- Original Message ----- From: "Yulius" <ha...@yahoo.com>
> To: <us...@tomcat.apache.org>
> Sent: Wednesday, June 20, 2007 12:06 PM
> Subject: Encrypt Tomcat 4.1 log and log4j.properties log with MD5
>
>
>> Hi,
>>
>> I'm currently need to do the encryption towards the log files
>> that has been created by the webserver and the webapplication, so
>> that only those who has the password to decrypt the log files can
>> read them.
>>
>> Is there a way to solve this issue?
>>
>> Thanks in advance
>> Yulius
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD4DBQFGeQhkW126qUNSzvURAsJnAJ94zCJsPp3JSQ3BdI/K7mHetbjmRQCXZdzz
UVU01WBh63oQ4qPw8MG1XA==
=XBQm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Encrypt Tomcat 4.1 log and log4j.properties log with MD5
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
Why? No, do it some other way, I think this will get horribly complex.
On windows I think near impossible, short of placing a symmetrical alg in
the source.
What about normal protection, in essence the server starts up as a user, and
only that user has access to the log folder, naturally admin can still get
in.
Why do this? Hiding stuff from admin? What is there to hide?
Ha ha.... you made me have a look at my log files ;) I guess not showing the
client whats wrong with the server is one way to make money.... ha ha.
I think turning logging off is possible, when playing with the properties,
I've managed to do that by accident a few times.
Think you need to explain more, maybe can find another way.... I dont think
this is an option.
----- Original Message -----
From: "Yulius" <ha...@yahoo.com>
To: <us...@tomcat.apache.org>
Sent: Wednesday, June 20, 2007 12:06 PM
Subject: Encrypt Tomcat 4.1 log and log4j.properties log with MD5
> Hi,
>
> I'm currently need to do the encryption towards the log files that has
> been created by the webserver and the webapplication, so that only those
> who has the password to decrypt the log files can read them.
>
> Is there a way to solve this issue?
>
> Thanks in advance
> Yulius
>
>
> ---------------------------------
> Park yourself in front of a world of choices in alternative vehicles.
> Visit the Yahoo! Auto Green Center.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Encrypt Tomcat 4.1 log and log4j.properties log with MD5
Posted by Peter Crowther <Pe...@melandra.com>.
> From: Tim Funk [mailto:funkman@joedog.org]
> If you have an evil admin, there is nothing stopping the him from
> sniffing the network, or starting tomcat with a debugger
> which can look
> at the memory or {insert evil action here} ;)
Sure. Or do the old trick we used to do with Suns - L1-A out of the
kernel, then poke through the data structures in memory with the
built-in ROM debugger (thanks Sun). Any (non-quantum?) system can be
compromised with enough effort. The aim is merely to make the hack
sufficiently difficult that most corrupt admins would reckon there are
easier (and/or more profitable) hacks elsewhere. Or, put another way,
"when outrunning a dragon, you don't have to run faster than the dragon.
You just have to run faster than the dwarf."
- Peter
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Encrypt Tomcat 4.1 log and log4j.properties log with MD5
Posted by Tim Funk <fu...@joedog.org>.
If you have an evil admin, there is nothing stopping the him from
sniffing the network, or starting tomcat with a debugger which can look
at the memory or {insert evil action here} ;)
-Tim
Peter Crowther wrote:
>> From: Nelson, Tracy M. [mailto:Tracy.Nelson@nelnet.net]
>> An easier approach might be to write your encrypting logger
>> as a filter
>> and have it take its input from a named pipe.
>
> I thought about suggesting that, but there's a weak point - there's
> nothing to stop an admin killing the encrypting logger and siphoning the
> unencrypted logs out of the named pipe. It has to be built into the
> originating process, I think, and a custom appender is probably the
> least awful way.
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Encrypt Tomcat 4.1 log and log4j.properties log with MD5
Posted by Peter Crowther <Pe...@melandra.com>.
> From: Nelson, Tracy M. [mailto:Tracy.Nelson@nelnet.net]
> An easier approach might be to write your encrypting logger
> as a filter
> and have it take its input from a named pipe.
I thought about suggesting that, but there's a weak point - there's
nothing to stop an admin killing the encrypting logger and siphoning the
unencrypted logs out of the named pipe. It has to be built into the
originating process, I think, and a custom appender is probably the
least awful way.
- Peter
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Encrypt Tomcat 4.1 log and log4j.properties log with MD5
Posted by "Nelson, Tracy M." <Tr...@nelnet.net>.
| From: Yulius [mailto:han_nomad@yahoo.com]
| Sent: Wednesday, 20 June, 2007 05:07
|
| I'm currently need to do the encryption towards the log files that
has
| been created by the webserver and the webapplication, so that only
those
| who has the password to decrypt the log files can read them.
Sounds like you need a custom appender. Write one that takes the log
message and encrypts it and writes it to your file. N.B. that you'll be
encrypting on a message-by-message basis, so that may affect your choice
of encryption algorithm (i.e., some methods may not work if a user tries
to decrypt an entire file as a single unit).
An easier approach might be to write your encrypting logger as a filter
and have it take its input from a named pipe. Might be a little more
work keeping things coordinated (your app may block when logging a
message if your logger isn't running), but nothing too hard.
-----------------------------------------
------------------------------------------------------------
The information contained in this message is confidential
proprietary property of Nelnet, Inc. and its affiliated
companies (Nelnet) and is intended for the recipient only.
Any reproduction, forwarding, or copying without the express
permission of Nelnet is strictly prohibited. If you have
received this communication in error, please notify us
immediately by replying to this e-mail.
------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org