jersey
jersey copied to clipboard
javaee
Basic Auth credentials should not be logged
We have secured our API-endpoint using Basic Authentication.
We have LoggingFilter.class added, to log all requests made to the API.
Below is an excerpt of the automatically generated log:
feb 09, 2016 9:39:00 AM org.glassfish.jersey.filter.LoggingFilter log
INFO: 38 * LoggingFilter - Request received on thread ajp-bio-8009-exec-3
38 > GET localhost:8080/test
38 > host: localhost
38 > connection: keep-alive
38 > authorization: Basic ZHVtbXk6ZHVtbXk=
38 > Cache-Control: no-cache
38 > user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36
38 > accept: */*
38 > DNT: 1
38 > Accept-Encoding: gzip, deflate, sdch
38 > Accept-Language: en-US,en;q=0.8,nl;q=0.6
38 > cookie: ...
The credentials are visible in plain text in the logs. This is something that may not happen! everyone who has access to the logs could base64-decode and get access to the username/password combinations.
I would like to have the basic authorization header logged as:
38 > authorization: Basic *********
This way, I know basic authentication was used, but credentials are not leaked.
Since all the logging-specific parts of LogginFilter.java are private, I cannot extend the class to customize the behavior.
So there are two possible fixes I see:
- Modify the existing code and display basic auth credentials as **** by default.
- Make it possible to extend the behavior of the LoggingFilter in a meaningful way. (preferred)
Right now I've implemented a workaround where I've copied the LoggingFilter.java source and made the modifications inline. But this is not maintainable.
Affected Versions
[2.4]
Any new on this issue? I would also propose, option to list headers which should be hidden/ignored. For example if there is X-Auth-Token and similiar headers which contains sensitive data.
