[jboss-cvs] Re: jboss-cvs-commits Digest, Vol 28, Issue 154
Ales Justin
ales.justin at gmail.com
Fri Oct 10 05:42:58 EDT 2008
A few comments about this password masking.
This is not the way to do it. ;-)
1) if eventually done is such non-generic way, there should be at least
just one place to do it - e.g. MaskPasswordHelper in jboss-commons
2) it should be done generic
e.g. user might want to mask other attributes as well
@MaskIt
public void setFoo(String foo)
3) there should be a set of default masking attributes
this set should be configurable
So, I think a forum discussion is in place - if you could open one in
'Design of POJO Server'.
-Ales
JBoss Microcontainer Project Lead
JBoss, a Division of Red Hat inc.
> ------------------------------
>
> Message: 2
> Date: Thu, 09 Oct 2008 20:38:36 -0400
> From: jboss-cvs-commits at lists.jboss.org
> Subject: [jboss-cvs] JBossAS SVN: r79319 -
> trunk/system-jmx/src/main/org/jboss/system.
> To: jboss-cvs-commits at lists.jboss.org
> Message-ID: <E1Ko61c-0006C9-6l at committer01.frg.pub.inap.atl.jboss.com>
> Content-Type: text/plain; charset=UTF-8
>
> Author: mmoyses
> Date: 2008-10-09 20:38:36 -0400 (Thu, 09 Oct 2008)
> New Revision: 79319
>
> Modified:
> trunk/system-jmx/src/main/org/jboss/system/ServiceConfigurator.java
> Log:
> JBAS-5978: mask passwords
>
> Modified: trunk/system-jmx/src/main/org/jboss/system/ServiceConfigurator.java
> ===================================================================
> --- trunk/system-jmx/src/main/org/jboss/system/ServiceConfigurator.java 2008-10-10 00:23:28 UTC (rev 79318)
> +++ trunk/system-jmx/src/main/org/jboss/system/ServiceConfigurator.java 2008-10-10 00:38:36 UTC (rev 79319)
> @@ -141,7 +141,13 @@
> }
> try
> {
> - log.debug(attributeName + " set to " + value + " in " + objectName);
> + if (log.isDebugEnabled())
> + {
> + Object outputValue = value;
> + if (attributeName.toLowerCase().indexOf("password") != -1)
> + outputValue = "****";
> + log.debug(attributeName + " set to " + outputValue + " in " + objectName);
> + }
> server.setAttribute(objectName, new Attribute(attributeName, value));
> }
> catch (Throwable t)
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 09 Oct 2008 20:46:36 -0400
> From: jboss-cvs-commits at lists.jboss.org
> Subject: [jboss-cvs] JBossAS SVN: r79320 - in
> trunk/system-jmx/src/main/org/jboss: system/deployers and 1 other
> directory.
> To: jboss-cvs-commits at lists.jboss.org
> Message-ID: <E1Ko69M-0000Rq-7T at committer01.frg.pub.inap.atl.jboss.com>
> Content-Type: text/plain; charset=UTF-8
>
> Author: mmoyses
> Date: 2008-10-09 20:46:36 -0400 (Thu, 09 Oct 2008)
> New Revision: 79320
>
> Modified:
> trunk/system-jmx/src/main/org/jboss/deployment/XSLSubDeployer.java
> trunk/system-jmx/src/main/org/jboss/system/deployers/ServiceDeploymentDeployer.java
> Log:
> JBAS-6068: mask passwords printed in the logs
>
> Modified: trunk/system-jmx/src/main/org/jboss/deployment/XSLSubDeployer.java
> ===================================================================
> --- trunk/system-jmx/src/main/org/jboss/deployment/XSLSubDeployer.java 2008-10-10 00:38:36 UTC (rev 79319)
> +++ trunk/system-jmx/src/main/org/jboss/deployment/XSLSubDeployer.java 2008-10-10 00:46:36 UTC (rev 79320)
> @@ -173,10 +173,15 @@
> trans.transform(s, r);
>
> di.document = (Document) r.getNode();
> - log.debug("transformed into doc: " + di.document);
> if (log.isDebugEnabled())
> {
> + log.debug("transformed into doc: " + di.document);
> String docStr = DOMWriter.printNode(di.document, true);
> + int index = docStr.toLowerCase().indexOf("password");
> + if (index != -1)
> + {
> + docStr = maskPasswords(docStr, index);
> + }
> log.debug("transformed into doc: " + docStr);
> }
> }
> @@ -239,4 +244,37 @@
> throw new DeploymentException("Could not create document builder for dd", pce);
> }
> }
> +
> + /**
> + * Masks passwords so they are not visible in the log.
> + *
> + * @param original <code>String</code> plain-text passwords
> + * @param index index where the password keyword was found
> + * @return modified <code>String</code> with masked passwords
> + */
> + private String maskPasswords(String original, int index)
> + {
> + StringBuilder sb = new StringBuilder(original);
> + String modified = null;
> + int startPasswdStringIndex = sb.indexOf(">", index);
> + if (startPasswdStringIndex != -1)
> + {
> + // checks if the keyword 'password' was not in a comment
> + if (sb.charAt(startPasswdStringIndex - 1) != '-')
> + {
> + int endPasswdStringIndex = sb.indexOf("<", startPasswdStringIndex);
> + if (endPasswdStringIndex != -1) // shouldn't happen, but check anyway
> + {
> + sb.replace(startPasswdStringIndex + 1, endPasswdStringIndex, "****");
> + }
> + }
> + modified = sb.toString();
> + // unlikely event of more than one password
> + index = modified.toLowerCase().indexOf("password", startPasswdStringIndex);
> + if (index != -1)
> + return maskPasswords(modified, index);
> + return modified;
> + }
> + return original;
> + }
> }
>
> Modified: trunk/system-jmx/src/main/org/jboss/system/deployers/ServiceDeploymentDeployer.java
> ===================================================================
> --- trunk/system-jmx/src/main/org/jboss/system/deployers/ServiceDeploymentDeployer.java 2008-10-10 00:38:36 UTC (rev 79319)
> +++ trunk/system-jmx/src/main/org/jboss/system/deployers/ServiceDeploymentDeployer.java 2008-10-10 00:46:36 UTC (rev 79320)
> @@ -93,7 +93,16 @@
> log.debug("Service deployment has no services: " + deployment.getName());
> return;
> }
> - log.debug(DOMWriter.printNode(config, true));
> + if (log.isDebugEnabled())
> + {
> + String docStr = DOMWriter.printNode(config, true);
> + int index = docStr.toLowerCase().indexOf("password");
> + if (index != -1)
> + {
> + docStr = maskPasswords(docStr, index);
> + }
> + log.debug(docStr);
> + }
> ServiceMetaDataParser parser = new ServiceMetaDataParser(config);
> services = parser.parse();
> deployment.setServices(services);
> @@ -146,4 +155,37 @@
> removeServiceComponent(unit, deployment);
> }
> }
> +
> + /**
> + * Masks passwords so they are not visible in the log.
> + *
> + * @param original <code>String</code> plain-text passwords
> + * @param index index where the password keyword was found
> + * @return modified <code>String</code> with masked passwords
> + */
> + private String maskPasswords(String original, int index)
> + {
> + StringBuilder sb = new StringBuilder(original);
> + String modified = null;
> + int startPasswdStringIndex = sb.indexOf(">", index);
> + if (startPasswdStringIndex != -1)
> + {
> + // checks if the keyword 'password' was not in a comment
> + if (sb.charAt(startPasswdStringIndex - 1) != '-')
> + {
> + int endPasswdStringIndex = sb.indexOf("<", startPasswdStringIndex);
> + if (endPasswdStringIndex != -1) // shouldn't happen, but check anyway
> + {
> + sb.replace(startPasswdStringIndex + 1, endPasswdStringIndex, "****");
> + }
> + }
> + modified = sb.toString();
> + // unlikely event of more than one password
> + index = modified.toLowerCase().indexOf("password", startPasswdStringIndex);
> + if (index != -1)
> + return maskPasswords(modified, index);
> + return modified;
> + }
> + return original;
> + }
More information about the jboss-cvs-commits
mailing list