Hi,
thanks Alexey! I missed the fact that the new LoggingFeature class is in a
separate Maven artifact. It would be nice if the documentation could point out
that the new org.apache.cxf.ext.logging.LoggingFeature is different from the
deprecated org.apache.cxf.feature.LoggingFeature.
I managed to mask the sensitive information. However, the Logging for the SOAP
requests from the client to the server aren't as nice as I would like them to
be.
Here's what I did:
Added this to the pom.xml:
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-features-logging</artifactId>
<version>${cxf.version}</version>
</dependency>
This is my cxf.xml:
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:cxf="http://cxf.apache.org/core";
xsi:schemaLocation="
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
<cxf:bus>
<cxf:features>
<bean class="de.foo.bar.MyLoggingFeature ">
</bean>
</cxf:features>
</cxf:bus>
</beans>
This is my LoggingFeature:
package de.foo.bar;
import java.util.Arrays;
import java.util.HashSet;
import org.apache.cxf.ext.logging.LoggingFeature;
public class MyLoggingFeature extends LoggingFeature {
public MyLoggingFeature() {
super();
addSensitiveElementNames(new HashSet<>(
Arrays.asList("wsse:Username", "wsse:Password", "wsse:Nonce",
"wsu:Created")));
addSensitiveProtocolHeaderNames(new HashSet<>(Arrays.asList("Security",
"Accept", "Date")));
setPrettyLogging(true);
}
}
Now, the response is masked and pretty printed:
[main] INFO org.apache.cxf.services.Group.RESP_IN - RESP_IN
Address: ...
Content-Type: text/xml;charset=utf-8
ResponseCode: 200
ExchangeId: ...
ServiceName: ...
PortName: ...
PortTypeName: ...
Headers: {SOAPAction="", Accept=XXX, Server=secret,
X-Content-Type-Options=nosniff, Public-Key-Pins-Report-Only=pin-sha256="...";
pin-sha256=""; max-age=600; report-uri="...", Pragma=no-cache, Date=XXX,
X-Frame-Options=DENY, Strict-Transport-Security=max-age=16000000,
Cache-Control=no-cache, no-store, max-age=0, must-revalidate,
Content-Security-Policy=default-src 'self'; script-src 'self' 'unsafe-inline'
'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
connect-src 'self' wss://...; report-uri ...; child-src *; frame-ancestors
...;, content-type=text/xml;charset=utf-8, Expires=0, Content-Length=303,
X-XSS-Protection=1; mode=block}
Payload: <SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<successResponse xmlns="...">
<request xmlns="...">...</request>
</successResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
However, the request is not quite as pretty. The xml is not indented properly.
[main] INFO org.apache.cxf.services.Group.REQ_OUT - REQ_OUT
Address: ...
HttpMethod: POST
Content-Type: text/xml
ExchangeId: ...
ServiceName: ...
PortName: ...
PortTypeName: ...
Headers: {SOAPAction="", Accept=XXX}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1"><wsse:UsernameToken
wsu:Id="UsernameToken-...">XXX</wsse:Username><wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>XXX</wsse:Password><wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>XXX</wsse:Nonce><wsu:Created>XXX</wsu:Created></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><outerTag
xmlns="..."><innerTag>...</innerTag></outerTag></soap:Body></soap:Envelope>
Am I missing something here?
Also: Would you mask other fields as well?
Thanks!
Kind regards
Matthias
______________________________________________________________________________________________
Matthias Tonhäuser | Softwareentwickler
Fon 0251 9159-501
GuideCom AG | Hafenweg 14 | 48155 Münster | www.guidecom.de | Amtsgericht
Münster HRB 18577
Vorstand: Robin Wunsch (Sprecher), Mathias Bokelmann, Günter Meyer, Dr. Michael
Thygs
Aufsichtsrat: Robert Baresel (Vorsitzender), Prof. Dr. Margret Borchert, Prof.
Dr. Jan Recker
______________________________________________________________________________________________
How tomorrow works.
-----Ursprüngliche Nachricht-----
Von: Alexey Markevich <[email protected]>
Gesendet: Dienstag, 30. März 2021 22:47
An: [email protected]
Betreff: Re: Logging: Activate pretty printing and masking sensitive information
Hi Matthias,
use the logging module rt/features/logging instead
On 3/30/21, Matthias Tonhäuser <[email protected]> wrote:
> Hi there,
>
> I’m trying to add logging to my Apache CXF 3.4.3 client. I would like
> to enable pretty printing and mask sensitive information like the user
> name and the password.
>
> This is what Apache CXF recommends for enabling logging:
>
> <beans xmlns="http://www.springframework.org/schema/beans";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:cxf="http://cxf.apache.org/core";
> xsi:schemaLocation="
> http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
> <cxf:bus>
> <cxf:features>
> <cxf:logging/>
> </cxf:features>
> </cxf:bus>
> </beans>
>
> However, I don’t know how to enable pretty printing there. Therefore I
> came up with this solution:
>
> <beans xmlns="http://www.springframework.org/schema/beans";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:cxf="http://cxf.apache.org/core";
> xsi:schemaLocation="
> http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
>
> <bean id="logInbound"
> class="org.apache.cxf.interceptor.LoggingInInterceptor">
> <property name="prettyLogging" value="true"/>
> </bean>
> <bean id="logOutbound"
> class="org.apache.cxf.interceptor.LoggingOutInterceptor">
> <property name="prettyLogging" value="true"/>
> </bean>
>
> <cxf:bus>
> <cxf:inInterceptors>
> <ref bean="logInbound"/>
> </cxf:inInterceptors>
> <cxf:outInterceptors>
> <ref bean="logOutbound"/>
> </cxf:outInterceptors>
> <cxf:outFaultInterceptors>
> <ref bean="logOutbound"/>
> </cxf:outFaultInterceptors>
> <cxf:inFaultInterceptors>
> <ref bean="logInbound"/>
> </cxf:inFaultInterceptors>
> </cxf:bus>
> </beans>
>
>
> However, the LoggingInInterceptor and its counterpart are marked as
> deprecated. Is there are a better way to do this?
>
> I would like to mask sensitive information in the logging statements
> as well.
>
> This site here (https://cxf.apache.org/docs/message-logging.html) says
> that LoggingFeature has two new methods as of version 3.4.0:
>
> addSensitiveElementNames(final Set<String> sensitiveElements);
> Configures names of sensitive XML and JSON elements, values to be masked.
> addSensitiveProtocolHeaderNames(final Set<String>
> sensitiveProtocolHeaders); Configures names of sensitive protocol headers,
> values to be masked.
>
> I took a look at org.apache.cxf.feature.LoggingFeature in 3.4.3 but
> could not find any of these methods. Am I doing something wrong or
> haven’t the methods been added yet?
>
> Thanks!
>
> Kind regards
>
> Matthias
> ______________________________________________________________________
> ___
>
> [cid:[email protected]]
>
> Matthias Tonhäuser | Softwareentwickler Fon 0251 9159-501
>
> GuideCom AG | Hafenweg 14 | 48155 Münster |
> www.guidecom.de<http://www.guidecom.de/> | Amtsgericht Münster HRB
> 18577
> Vorstand: Robin Wunsch (Sprecher), Mathias Bokelmann, Günter Meyer, Dr.
> Michael Thygs
> Aufsichtsrat: Robert Baresel (Vorsitzender), Prof. Dr. Margret
> Borchert, Prof. Dr. Jan Recker
> ______________________________________________________________________
> ___
>
> How tomorrow works.
>
>
