日志密码屏蔽功能

1.直接正则替换

You can try the following simple regex replacement. It assumes that the password lies between password= and the next &.

String s = "password=qweqweqwe&qwe=qwe ";
String maskedPassword = s.replaceAll("password=[^&]*", "password=***");
System.out.println(maskedPassword);

prints:

password=***&qwe=qwe

2.logback可以配置正则替换功能

配置全局规则会比较影响日志性能.

The logback version 0.9.27 introduced replacement capability. Replacements support regular expressions. For example, if the logged message was "userid=alice, pswd='my secret'", and the output pattern was

"%d [%t] $logger - %msg%n",

"%d [%t] $logger - %msg%n",

you just modify the pattern to

"%d [%t] $logger - %replace(%msg){"pswd='.*'", "pswd='xxx'"}%n"
"%d [%t] $logger Note that the above makes use of - %replace(%msg){"pswd='option quoting.*'", "pswd='xxx'"}%n"

The previous log message would be logged output as "userid=alice, pswd='xxx'"

For blazing performance, you could also mark the log statement as CONFIDENTIAL and instruct %replace to perform replacement only for log statements marked as CONFIDENTIAL. Example,

Marker confidential = MarkerFactory.getMarker("CONFIDENTIAL"); logger.info(confidential, "userid={}, password='{}'", userid, password);

Marker confidential = MarkerFactory.getMarker("CONFIDENTIAL");
logger.info(confidential, "userid={}, password='{}'", userid, password);

Unfortunately, the current version of logback does not yet support conditional replacements (based on markers or otherwise). However, you could easily write your own replacement code by extending ReplacingCompositeConverter. Shout on the logback-user mailing list if you need further assistance.

3.log4j 通过layout 和 pattern 实现替换

Log4j官方文档:

https://logging.apache.org/log4j/2.x/manual/appenders.html

使用 log4j 在记录期间掩盖敏感信息
关于此任务
您可以配置 log4j 实用程序,以防止敏感信息(如信用卡号和密码等)记录到日志消息中。要掩盖敏感信息,您必须使用应用程序提供的定制 log4j 布局和过滤器,同时在 customer_override.properties 文件中定义一组指定的正则表达式。

定制 log4j 布局将获取格式化的消息,并根据一组可配置的正则表达式来过滤结果。 此定制 log4j 过滤器将允许您根据一组正则表达式匹配消息并丢弃消息(如果匹配)。

要在记录期间掩盖敏感信息:

过程
在定制记录配置中将布局类名更改为 SCIFilteredPatternLayout。 例如:

<layout class="com.sterlingcommerce.woodstock.util.frame.logex.SCIFilteredPatternLayout">
     <param name="ConversionPattern" value="%d:%-7p:%t: %-60m [%X{AppUserId}]: %-25c{1}%n"/>
     <param name="FilterSet" value="common-filter"/> <!-- Optional -->
</layout>

在定制记录配置中将过滤器类名更改为 SCIPatternFilter。 例如:

<filter  class="com.sterlingcommerce.woodstock.util.frame.logex.SCIPatternFilter">
    <param name="FilterSet" value="suppress" /> <!-- Optional -->
</filter>

定义一组指定的正则表达式,您想要根据这些正则表达式,使用以下属性,在 <INSTALL_DIR>/properties/customer_overrides.properties 文件中匹配消息:

 filterset.<name>.pattern.<num>=<pattern>

此属性为可选:

filterset.<name>.replace.<num>=<replace>

其中, 是 Java 样式正则表达式,并定义要在匹配消息字符串时对照的正则表达式。replace 属性为可选,并定义将用于替换此表达式的字符串。

您可以通过设置以下属性来设置缺省 FilterSet 参数:

 default.filter.filterset=<filter_name>
 default.layout.filterset=<layout_name>

您还可以定义跨多个过滤器集的一组通用正则表达式模式,如下所示:

filterset.name.includes=<name1>,<name2>,...

您可以查看 <INSTALL_DIR>/properties/logfilter.properties.in 文件以参阅用于定义这些属性的一些样本条目。

posted on 2015-12-23 00:21  laoniu85  阅读(954)  评论(0编辑  收藏  举报

导航