logback-access-spring-boot-starter icon indicating copy to clipboard operation
logback-access-spring-boot-starter copied to clipboard

Published 20 hours ago verified publisher icon akkinoc

Hashing remote user

Open hsellik opened this issue 2 years ago • 1 comments

Question

Is there a way to hash the remote user that gets logged?

There used to be LogbackAccessSecurityAttributesSaveFilter which enabled to override the doFilter() function, but it has been removed in the newer version of this starter.

hsellik avatar Jun 16 '23 13:06 hsellik

Went for a hack like this:

@Component
public class FilterConfiguration {

  @Bean
  @NotNull
  public FilterRegistrationBean<LogbackAccessSecurityServletFilter> logbackAccessSecurityServletFilter() {
    return new FilterRegistrationBean(new CustomSecurityAttributesSaveFilter());
  }

}

public class CustomSecurityAttributesSaveFilter implements Filter {

  @NotNull
  public static final String REMOTE_USER_ATTRIBUTE = Reflection.getOrCreateKotlinClass(LogbackAccessSecurityServletFilter.class).getQualifiedName() + ".remoteUser";

  @Override
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {
    saveSecurityAttributes((HttpServletRequest) request);
    chain.doFilter(request, response);
  }

  private void saveSecurityAttributes(HttpServletRequest request) {
    request.setAttribute(REMOTE_USER_ATTRIBUTE, hash(request.getRemoteUser()));
  }

}

Is there a reason that LogbackAccessSecurityServletFilter is final? Otherwise I could override the doFilter there and create my own FilterRegistrationBean without any warnings.

hsellik avatar Jun 20 '23 13:06 hsellik