arangodb-java-driver icon indicating copy to clipboard operation
arangodb-java-driver copied to clipboard
verified publisher icon arangodb

How to disable credentials logging in CURLLogger

Open AnnieSemenova opened this issue 4 years ago • 1 comments

Hello! We faced such issue: in the production environment we can't enable Debug logging without full excluding CURLLogger because credentials are printed either. CURLLogger is important, because it shows the real request to ArangoDB and we can't use it.

https://github.com/arangodb/arangodb-java-driver/blob/master/src/main/java/com/arangodb/internal/http/CURLLogger.java#L63

Maybe we can configure this behavior in some way? If not I think it would be good to have this opportunity, because enabling debug for CURLLogger can be impossible by security reasons.

AnnieSemenova avatar Oct 18 '21 08:10 AnnieSemenova

At the moment this is not directly supported by the driver, but you could achieve it using a custom logback PatternLayout. For reference see: https://www.baeldung.com/logback-mask-sensitive-data

rashtao avatar Oct 20 '21 06:10 rashtao

Fixed in https://github.com/arangodb/arangodb-java-driver/releases/tag/v7.0.0-ALPHA.1

rashtao avatar Jan 20 '23 10:01 rashtao

Credentials are not logged anymore since version 7.0.0. https://github.com/arangodb/arangodb-java-driver/releases/tag/v7.0.0-RC.4

rashtao avatar Mar 21 '23 14:03 rashtao

Closing as fixed in version 7.0.0.

rashtao avatar Apr 20 '23 12:04 rashtao