[jira] [Commented] (DELTASPIKE-382) mask out passwords and other credentials in our Configuration logs

Sun, 16 Jun 2013 11:59:32 -0700 

    [ 
https://issues.apache.org/jira/browse/DELTASPIKE-382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13684740#comment-13684740
 ] 

Gerhard Petracek commented on DELTASPIKE-382:
---------------------------------------------

again: i never said something (pro or con) about the spi. i just don't agree 
with masking values in our case. skipping the log in some cases is by far 
enough.
and yes - it's a single api since the ConfigResolver api is affected. a proper 
approach for the initial use-case would handle it on a different level, because 
it allows to keep the logs clean (independent of the part which produces it).
it's your responsibility, if you are using it in your project/s for passwords. 
skipping logging (instead of masking) without even implying a security context 
for other users should be enough (even for whatever you are going to do in your 
project).

(it isn't about who is doing it - it's about how it's done and which message is 
transported to users actively via docs/supported syntax/... .)
                
> mask out passwords and other credentials in our Configuration logs
> ------------------------------------------------------------------
>
>                 Key: DELTASPIKE-382
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-382
>             Project: DeltaSpike
>          Issue Type: New Feature
>          Components: Configuration
>    Affects Versions: 0.4
>            Reporter: Mark Struberg
>            Assignee: Mark Struberg
>             Fix For: 0.5
>
>
> Our configuration mechanism currently logs all the configured values.
> This makes it hard to use it for passwords and stuff.
> I suggest we introduce some specific prefix property to configure configs 
> which contain sensitive information.
> For the key 'some.random.password' this could look like:
> deltaspike_config.mask.some.random.password=true
> In the log we would in this case just output the information whether and 
> where we did find some value, but not print the details for all configs which 
> start with all of the configured masks.
> I'm not yet sure though how to configure this best. Suggestions appreciated!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to