-
Notifications
You must be signed in to change notification settings - Fork 35
Masking
August Detlefsen edited this page Jun 27, 2017
·
3 revisions
The OWASP Security Logging API provides a Converter implementation to mask confidential information from log output. The MaskingConverter class masks arguments to logging methods by converting input characters to '*'.
To use the converter, first add a <conversionRule> element to the logger configuration. The conversionWord attribute will define the pattern that should be replaced with masked output:
<conversionRule conversionWord="mask"
converterClass="org.owasp.security.logging.mask.MaskingConverter" />
In the <appender> definition, modify the <pattern> element to use the conversionWord (%mask) that was specified in the <conversionRule>:
<appender name="APP_CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%date [%thread] [%marker] %-5level - %mask%n</pattern>
</encoder>
</appender>
In Java source code, add the CONFIDENTIAL marker to log statements that could contain confidential information:
LOGGER.info("userid={}", userid);
LOGGER.info(SecurityMarkers.CONFIDENTIAL, "password={}", password);
This configuration will produce the following output in the log:
2014-12-16 13:54:48,860 [main] INFO - userid=joebob
2014-12-16 13:54:48,860 [main] [CONFIDENTIAL] INFO - password=***********