使用 Logback 屏蔽密码?

发布于 2024-10-10 12:00:13 字数 179 浏览 11 评论 0 原文

目前,我们一般都会记录进出系统的所有 XML 文档,其中一些文档包含明文密码。我们希望能够配置执行此操作的 logback 记录器/附加程序来进行一些模式匹配或类似操作,并且如果它检测到存在密码则将其替换(最有可能使用星号)。请注意,我们不想过滤掉日志条目,我们想屏蔽它的一部分。我希望得到有关如何使用 logback 完成此操作的建议。谢谢。

We currently generically log all XML documents coming in and going out of our system, and some of them contain passwords in the clear. We would like to be able to configure the logback logger/appender that is doing this to do some pattern matching or similar and if it detects a password is present to replace it (with asterisks most likely). Note we don't want to filter out the log entry, we want to mask a portion of it. I would appreciate advice on how this would be done with logback. Thanks.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

与风相奔跑 2024-10-17 12:00:13

logback 版本 0.9.27 引入了替换功能。替换支持正则表达式。例如,如果记录的消息是“userid=alice, pswd='my Secret'”,并且输出模式是,

  "%d [%t] $logger - %msg%n",

您只需修改模式即可

 "%d [%t] $logger - %replace(%msg){"pswd='.*'", "pswd='xxx'"}%n"

注意,上面使用了 选项引用

之前的日志消息将输出为“userid=alice, pswd='xxx'”

为了获得出色的性能,您还可以将日志语句标记为 CONFIDENTIAL,并指示 %replace 仅对标记为 CONFIDENTIAL 的日志语句执行替换。例如,

 Marker confidential = MarkerFactory.getMarker("CONFIDENTIAL");
 logger.info(confidential, "userid={}, password='{}'", userid, password);

不幸的是,当前版本的 logback 尚不支持条件替换(基于标记或其他)。但是,您可以通过扩展 ReplacingCompositeConverter 轻松编写自己的替换代码。如果您需要进一步的帮助,请在 logback-user 邮件列表上留言。

The logback version 0.9.27 introduced replacement capability. Replacements support regular expressions. For example, if the logged message was "userid=alice, pswd='my secret'", and the output pattern was

  "%d [%t] $logger - %msg%n",

you just modify the pattern to

 "%d [%t] $logger - %replace(%msg){"pswd='.*'", "pswd='xxx'"}%n"

Note that the above makes use of option quoting.

The previous log message would be output as "userid=alice, pswd='xxx'"

For blazing performance, you could also mark the log statement as CONFIDENTIAL and instruct %replace to perform replacement only for log statements marked as CONFIDENTIAL. Example,

 Marker confidential = MarkerFactory.getMarker("CONFIDENTIAL");
 logger.info(confidential, "userid={}, password='{}'", userid, password);

Unfortunately, the current version of logback does not yet support conditional replacements (based on markers or otherwise). However, you could easily write your own replacement code by extending ReplacingCompositeConverter. Shout on the logback-user mailing list if you need further assistance.

蛮可爱 2024-10-17 12:00:13

我相信屏蔽是您业务的一个方面,而不是任何技术或日志系统的方面。在某些情况下,由于法律原因,在将密码、国家身份等存储在数据库中时也应该对其进行屏蔽。您应该能够在将 xml 提供给记录器之前对其进行屏蔽。

一种方法是通过 XSLT 运行 XML,然后将其提供给记录器进行记录。

如果您不想这样做,那么 LogBack 有过滤器支持,这是其中之一选项(虽然不是正确的选项)。

但是要明白,您试图在日志基础设施级别找到的任何通用的开箱即用解决方案都将不是最佳的,因为每个日志消息都将被检查是否被屏蔽。

I believe Masking is an aspect of your business, not the aspect of any technology or logging system. There are situations where the passwords, national identities etc should be masked while storing them in the DB as well due to legal reasons. You should be able to mask the xml before giving it to the logger.

One way to do it is to run the XML through XSLT that does that making and then give it to logger for logging.

If you doesn't want to do this then LogBack has Filters support that is one of the option (not the right one though).

But understand that any generic out of the box solution you are trying to find at the logging infrastructure level is going to be suboptimal as every log message is going to be checked for masking.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文