How To Mask Sensitive Data

In this quick tutorial, we'll show you how to intercept data before libraries log it into a file by creating a Rewrite Policy for your sensitive data.

Julie Russell

Oct. 21, 20 · Tutorial

Likes (5)

Comment

Save

23.3K Views

You can leverage the Log4j Framework by Apache to make changes to the message logger during application execution. In the case where you are dealing with sensitive data in your application, it is difficult to mask at the code level because so many of the libraries log data that you do not have control over the message input. What Log4j offers is a way to intercept the data before it logs it to a file by creating a Rewrite Policy.

Rewrite Policy

You need to create a Java class that implements the Apache RewritePolicy class. This will give you access to the log data before it is logged such as the logger name, level, message, throwable, etc... You will notice that you need to invoke the class as a factory method. In this case we are not passing any arguments so we just call the constructor and there is no logic involved. To pass arguments you need to annotate them with @PluginAttribute(“attributeName”) and then pass them to the constructor when instantiating the object.

     Java 
   
          x 
         
package com.diamondedgeit.custom.logger;
 
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.appender.rewrite.RewritePolicy;
import org.apache.logging.log4j.core.config.plugins.Plugin;
import org.apache.logging.log4j.core.config.plugins.PluginFactory;
import org.apache.logging.log4j.core.impl.Log4jLogEvent;
import org.apache.logging.log4j.message.SimpleMessage;
import org.apache.logging.log4j.status.StatusLogger;
 
@Plugin(name = "LogInterceptor", category = "Core", elementType = "rewritePolicy", printObject = true)
public class CustomLogInterceptor implements RewritePolicy {
    protected static final Logger logger = StatusLogger.getLogger()
    
      private CustomLogInterceptor() { }
              
      @PluginFactory
      public static CustomLogInterceptor createPolicy() {
        return new CustomLogInterceptor();
      }
              
      @Override
      public LogEvent rewrite(LogEvent event) {
        String message = event.getMessage().getFormattedMessage();
                               
        // write your code to manipulate your message here
        message = message.replaceAll("password", "*******");
                                                             
        return Log4jLogEvent.newBuilder()
            .setLoggerName(event.getLoggerName())
            .setMarker(event.getMarker())
            .setLoggerFqcn(event.getLoggerFqcn())
            .setLevel(event.getLevel())
            .setMessage(new SimpleMessage(message))
            .setThrown(event.getThrown())
            .setContextMap(event.getContextMap())
            .setContextStack(event.getContextStack())
            .setThreadName(event.getThreadName())
            .setSource(event.getSource())
            .setTimeMillis(event.getTimeMillis())
            .build();
      }
}

Log4j XML

Below in an example of how you can wire in your Rewrite Policy for Log4j.

In this example;

The AsyncRoot references the Rewrite Appender
The Rewrite Appender references the Rewrite Policy found in the package specified in the Configuration node
The Rewrite Appender references the Rolling File Appender

When you run your application you will notice that the logger is intercepted after it writes to the console and before it writes to the log file. If you add a Console Appender and reference it from the Rewrite Appender the console will show log every line twice, once with the modified log line and one without. Therefore it is better to leave it as just the Rolling File Appender so that no sensitive data is persisted and the console stays legible.

     XML 
   
 
  
    
xxxxxxxxxx

              
          
<?xml version="1.0" encoding="utf-8"?>
<Configuration status="trace" packages="com.deic.custom.logger">
    <Appenders>
        <RollingFile name="file" fileName="${sys:logs.home}sys:file.separator}test.log"
            filePattern="${sys:logs.home}${sys:file.separator}test-%i.log">
            <PatternLayout pattern="%d [%t] %-5p %c - %m%n" ></PatternLayout>
            <SizeBasedTriggeringPolicy size="10 MB" ></SizeBasedTriggeringPolicy>
            <DefaultRolloverStrategy max="10"></DefaultRolloverStrategy>
        </RollingFile>
        <Rewrite name="rewrite">
            <LogInterceptor ></LogInterceptor>
            <AppenderRef ref="file"></AppenderRef>
        </Rewrite>
    </Appenders>
    <Loggers>
        // some loggers here
       <AsyncRoot level="INFO">
            <AppenderRef ref="rewrite" ></AppenderRef>
       </AsyncRoot>
    </Loggers>
</Configuration>

Data (computing)

Published at DZone with permission of Julie Russell. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

Trending

How To Mask Sensitive Data

In this quick tutorial, we'll show you how to intercept data before libraries log it into a file by creating a Rewrite Policy for your sensitive data.

Rewrite Policy

Log4j XML

Related

Partner Resources