我想使用slf4j框架屏蔽敏感数据,如用户名/密码。立即帮助表示赞赏。提前谢谢。
答案 0 :(得分:2)
尝试这个。 1.首先,我们应该创建一个用于处理日志的类(每行)
const comment = useSelector(state => state.post.comments)
// I can see that state are not parent of comments, you might want to add the parent in above like
// useSelector(state => state.posts.comments)
// In this case, posts is the parent of comments
const filteredComment = comment && comment.filter(el => el._id === match.params.id)
// filteredComment.comment should be the comment you needed
}
第二步是我们应该创建添加器,以便将登录回登录到logback.xml
<textarea
name="comment"
placeholder="Comment goes here"
initialValue = {curco ? curco[0].comment || undefined}
value={comment}
onChange={e => onChange(e)}
></textarea>
现在我们可以在代码中使用记录器了
log.info(“为creditCard = {}设置的卡上下文”,creditCard);
因此,我们将看到
日志中的一行
为creditCard = 11111 ****** 111设置的卡上下文
如果没有这些选项,我们的日志将类似于此行
public class PatternMaskingLayout extends PatternLayout {
private Pattern multilinePattern;
private List<String> maskPatterns = new ArrayList<>();
public void addMaskPattern(String maskPattern) { // invoked for every single entry in the xml
maskPatterns.add(maskPattern);
multilinePattern = Pattern.compile(
String.join("|", maskPatterns), // build pattern using logical OR
Pattern.MULTILINE
);
}
@Override
public String doLayout(ILoggingEvent event) {
return maskMessage(super.doLayout(event)); // calling superclass method is required
}
private String maskMessage(String message) {
if (multilinePattern == null) {
return message;
}
StringBuilder sb = new StringBuilder(message);
Matcher matcher = multilinePattern.matcher(sb);
while (matcher.find()) {
if (matcher.group().contains("creditCard")) {
maskCreditCard(sb, matcher);
} else if (matcher.group().contains("email")) {
// your logic for this case
}
}
return sb.toString();
}
private void maskCreditCard(StringBuilder sb, Matcher matcher) {
//here is our main logic for masking sensitive data
String targetExpression = matcher.group();
String[] split = targetExpression.split("=");
String pan = split[1];
String maskedPan = Utils.getMaskedPan(pan);
int start = matcher.start() + split[0].length() + 1;
int end = matcher.end();
sb.replace(start, end, maskedPan);
}
答案 1 :(得分:0)
假设您正在使用Java / Groovy。在log4j2.xml中,添加如下内容:
<PatternLayout pattern="%mm"/>
然后采用该模式并为其创建转换器:
@Plugin(name = 'maskLog', category = 'Converter')
@ConverterKeys(['mm'])
class MaskLogConverter extends LogEventPatternConverter {
private static final String NAME = 'mm'
private MaskLogConverter(String[] options) {
super(NAME, NAME)
}
static LogMaskingConverter newInstance(final String[] options) {
return new LogMaskingConverter(options)
}
@Override
void format(LogEvent event, StringBuilder outputMessage) {
String message = event.message//.formattedMessage
// Do your masking logic here
outputMessage.append(message)
}
}
在该类中,您可以相应地进行掩码,转换,解析等。
答案 2 :(得分:0)
也许这个图书馆会有所帮助:owasp-security-logging
它与OWASP Security Logging Project有关 并提供相关功能:
LOGGER.info("userid={}", userid);
LOGGER.info(SecurityMarkers.CONFIDENTIAL, "password={}", password);
目的是在日志中产生以下输出:
2014-12-16 13:54:48,860 [main] INFO - userid=joebob
2014-12-16 13:54:48,860 [main] [CONFIDENTIAL] INFO - password=***********
您可以在Wiki
中找到更多信息答案 3 :(得分:-2)
框架本身不会进行掩蔽,你也不应该期待它。将机密信息传递给报告系统是一种非常糟糕的做法。在log.info()来电中,请务必将密码替换为星号。屏蔽用户名没有意义,因为您可能不记录任何内容。
log.info("Successful login: {0} ********", username);