java 使用 Logback 屏蔽密码?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4607877/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Mask Passwords with Logback?
提问by SingleShot
We currently generically log all XML documents coming in and going out of our system, and some of them contain passwords in the clear. We would like to be able to configure the logback logger/appender that is doing this to do some pattern matching or similar and if it detects a password is present to replace it (with asterisks most likely). Note we don't want to filter out the log entry, we want to mask a portion of it. I would appreciate advice on how this would be done with logback. Thanks.
我们目前一般会记录所有进出我们系统的 XML 文档,其中一些包含明文密码。我们希望能够配置正在执行此操作的 logback logger/appender 以进行一些模式匹配或类似操作,并且如果它检测到密码存在以替换它(最有可能使用星号)。请注意,我们不想过滤掉日志条目,而是想屏蔽其中的一部分。我很感激有关如何使用 logback 完成此操作的建议。谢谢。
回答by Ceki
The logback version 0.9.27 introduced replacement capability. Replacements support regular expressions. For example, if the logged message was "userid=alice, pswd='my secret'", and the output pattern was
logback 版本 0.9.27 引入了替换功能。替换支持正则表达式。例如,如果记录的消息是“userid=alice, pswd='my secret'”,并且输出模式是
"%d [%t] $logger - %msg%n",
you just modify the pattern to
你只需将模式修改为
"%d [%t] $logger - %replace(%msg){"pswd='.*'", "pswd='xxx'"}%n"
Note that the above makes use of option quoting.
请注意,以上使用了选项引用。
The previous log message would be output as "userid=alice, pswd='xxx'"
之前的日志消息将输出为“userid=alice,pswd='xxx'”
For blazing performance, you could also mark the log statement as CONFIDENTIAL and instruct %replace to perform replacement only for log statements marked as CONFIDENTIAL. Example,
为了获得出色的性能,您还可以将日志语句标记为 CONFIDENTIAL,并指示 %replace 仅对标记为 CONFIDENTIAL 的日志语句执行替换。例子,
Marker confidential = MarkerFactory.getMarker("CONFIDENTIAL");
logger.info(confidential, "userid={}, password='{}'", userid, password);
Unfortunately, the current version of logback does not yet support conditional replacements (based on markers or otherwise). However, you could easily write your own replacement code by extending ReplacingCompositeConverter. Shout on the logback-user mailing list if you need further assistance.
不幸的是,当前版本的 logback 还不支持条件替换(基于标记或其他)。但是,您可以通过扩展 ReplacingCompositeConverter 轻松编写自己的替换代码。如果您需要进一步的帮助,请在 logback-user 邮件列表上大喊大叫。
回答by Aravind Yarram
I believe Masking is an aspect of your business, not the aspect of any technology or logging system. There are situations where the passwords, national identities etc should be masked while storing them in the DB as well due to legal reasons. You should be able to mask the xml before giving it to the logger.
我相信掩码是您业务的一个方面,而不是任何技术或日志系统的方面。在某些情况下,出于法律原因,密码、国民身份等在将它们存储在数据库中时也应该被屏蔽。在将 xml 提供给记录器之前,您应该能够对其进行屏蔽。
One way to do it is to run the XML through XSLT that does that making and then give it to logger for logging.
一种方法是通过 XSLT 运行 XML,然后将其提供给记录器进行记录。
If you doesn't want to do this then LogBack has Filters supportthat is one of the option (not the right one though).
如果您不想这样做,那么 LogBack 具有过滤器支持,这是选项之一(尽管不是正确的)。
But understand that any generic out of the box solution you are trying to find at the logging infrastructure level is going to be suboptimal as every log message is going to be checked for masking.
但是请理解,您尝试在日志基础架构级别找到的任何通用开箱即用解决方案都将是次优的,因为将检查每条日志消息以进行屏蔽。
