[
https://issues.apache.org/jira/browse/DELTASPIKE-382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13683651#comment-13683651
]
Gerhard Petracek edited comment on DELTASPIKE-382 at 6/14/13 6:49 PM:
----------------------------------------------------------------------
i agree with romain and that also solves the cases you mentioned. or we don't
log the config per default and just log it based on a system property (which is
also easy enough to enable).
i also know lots of people who agree with me, since we had this topic several
times in environments of different security levels. you will never get an
approach everybody agrees with, if you enable it per default.
storing passwords as plain text and at the same time don't secure your logs
and/or check them before exposing them is highly careless since projects
usually use x libs as direct dependency or shipped in the server. if only one
just logs all values of system-properties/jndi/... and you don't check the
content of your logs before you expose them, you have the same issue.
was (Author: gpetracek):
i agree with romain and that also solves the cases you mentioned. or we
don't log the config per default and just log it based on a system property
(which is also easy enough to enable).
i also know lots of people who agree with me, since we had this topic several
times in environments of different security levels. you will never get an
approach everybody agrees with, if you enable it per default.
> mask out passwords and other credentials
> ----------------------------------------
>
> Key: DELTASPIKE-382
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-382
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 0.4
> Reporter: Mark Struberg
> Assignee: Mark Struberg
> Fix For: 0.5
>
>
> Our configuration mechanism currently logs all the configured values.
> This makes it hard to use it for passwords and stuff.
> I suggest we introduce some specific prefix property to configure configs
> which contain sensitive information.
> For the key 'some.random.password' this could look like:
> deltaspike_config.mask.some.random.password=true
> In the log we would in this case just output the information whether and
> where we did find some value, but not print the details for all configs which
> start with all of the configured masks.
> I'm not yet sure though how to configure this best. Suggestions appreciated!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
