Skip to content

Masking

Jump to bottom Edit New page
augustd edited this page Dec 16, 2014 · 3 revisions

The OWASP Security Logging API provides a Converter implementation to mask confidential information from log output. The MaskingConverter class masks arguments to logging methods by converting input characters to '*'.

To use the converter, first add a element to the logger configuration. The conversionWord attribute will define the pattern that should be replaced with masked output:

<conversionRule conversionWord="mask"
                converterClass="org.owasp.security.logging.mask.MaskingConverter" />

In the definition, modify the element to use the conversionWord (%mask) that was specified in the :

<appender name="APP_CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
    <encoder>
        <pattern>%date [%thread] [%marker] %-5level - %mask%n</pattern>
    </encoder>
</appender>

In Java source code, add the CONFIDENTIAL marker to log statements that could contain confidential information:

LOGGER.info("userid={}", userid);  
LOGGER.info(SecurityMarkers.CONFIDENTIAL, "password={}", password);

This configuration will produce the following output in the log:

2014-12-16 13:54:48,860 [main] INFO - userid=joebob
2014-12-16 13:54:48,860 [main] [CONFIDENTIAL] INFO - password=***********
Add a custom footer
Add a custom sidebar
Clone this wiki locally