Hibernate log4j.properties 打印 DB uname &经过
我的故事如下。 我有一个 java 应用程序,其中 hibernate 连接到嵌入式数据库(derby)。 有趣的是,我的 hibernate 应用程序在开始时打印了 uname,因为我使用的是 slf4j-simple,所以我将我的应用程序设置为使用 log4j。
Hibernate db uname&pass 在代码中使用属性对象设置。 我尝试在 log4j 属性配置器上使用相同的技巧,但 log4j.properties 文件覆盖了我的属性对象。 但 log4j.properties 文件很容易更改,主要问题是。 log4j 可以设置为打印我的数据库 uname&pass,或者应用程序中我的 Hibernate 配置中使用的任何敏感数据吗???
My story is as follows.
I have a java app with hibernate connected to a embedded db(derby).
The funny thing was, that my hibernate app printed the uname at start, because i was using slf4j-simple, and so i set my App to use log4j.
Hibernate db uname&pass are set in code, using property object.
I tried using the same trick on log4j property configurator, but the log4j.properties file overide my property object.
But the log4j.properties file is easily changed, and the main quiestion is.
Can log4j be set to print my db uname&pass, or any of the sensitive data used in my Hibernate config in the App???
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果我理解正确的话...您的休眠应用程序正在调用(直接或间接)记录器功能之一(调试、警告、错误、信息等)并将用户名/密码作为参数传递...
然后,是的,绝对可以将 log4j 配置为打印 uname &经过。并且,是的,您可以“在 log4j 中设置记录器”。
而且,无论做哪一个都相当容易。您可以修改根记录器以显示整个应用程序(包括库)中的所有日志记录调用。
The bottom line, if the uname/pass are set in code, in plain text, getting it out is trivially simple (log4j isn't the only way), even without access to the source *.java files.
If I understand you correctly... that your hibernate app is making calls (either directly or indirectly) to one of the logger functions (debug, warn, error, info, etc) and passing the username/password as the parameters...
Then, YES, absolutely log4j can be configured to print uname & pass. And, YES, you can "set the logger in log4j."
Moreover, doing either would be rather easy. You can modify the root logger to display all logging calls throughout the entire application (including the libraries).
The bottom line, if the uname/pass are set in code, in plain text, getting it out is trivially simple (log4j isn't the only way), even without access to the source *.java files.