gpt4 book ai didi

logging - 如何配置 Tomcat AccessLogValve 隐藏密码?

转载 作者:行者123 更新时间:2023-12-02 16:35:55 28 4
gpt4 key购买 nike

是否可以将 AccessLogValve 配置为在将密码写入日志文件之前隐藏/替换密码?我对阀门不熟悉,也许有办法插入自定义过滤器/阀门?

最佳答案

使用自定义 AccessLogValve 类的解决方案

  1. 创建一个单独的 Maven 项目:

    pom.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://maven.apache.org/POM/4.0.0"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>test</groupId>
    <artifactId>filtered-access-log-valve</artifactId>
    <version>1.0-SNAPSHOT</version>

    <dependencies>
    <dependency>
    <groupId>org.apache.tomcat</groupId>
    <artifactId>tomcat-catalina</artifactId>
    <version>7.0.70</version>
    </dependency>
    </dependencies>

    </project>

    FilteredAccessLogValve.java

    package test;

    import org.apache.catalina.valves.AccessLogValve;

    public class FilteredAccessLogValve extends AccessLogValve {
    @Override
    public void log(String message) {
    super.log(message.replaceAll("password=[^&]*", "password=***"));
    }
    }
  2. 从项目构建 jar 工件并将其复制到 tomcat/lib/

  3. tomcat/conf/server.xml中更改访问日志阀类

    <Valve className="test.FilteredAccessLogValve" ...>

使用servlet过滤器的另一种解决方案

最后我找到了这个解决方案,因为它需要最少的 tomcat 配置。

  1. tomcat/conf/context.xml 中,通过注释 <Valve> 关闭默认访问日志阀标签。
  2. 创建AdvancedAccessLogFilter类:

    package your.package;

    import javax.servlet.*;
    import javax.servlet.http.HttpServletRequest;
    import java.io.IOException;

    public class AdvancedAccessLogFilter implements Filter {

    private static final String PASSWORD_REGEX = "password=[^&]+";
    private static final String PASSWORD_MASK = "password=***";
    private FilterConfig filterConfig = null;

    public void destroy() {
    this.filterConfig = null;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {
    if (filterConfig == null) {
    return;
    }

    HttpServletRequest request = (HttpServletRequest) servletRequest;

    String maskedPath = request.getRequestURI()
    + (request.getQueryString() == null ? "" : request.getQueryString().replaceAll(PASSWORD_REGEX, PASSWORD_MASK))
    + " "
    + request.getProtocol();

    request.setAttribute("maskedPath", maskedPath);
    chain.doFilter(request, servletResponse);
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    this.filterConfig = filterConfig;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    this.filterConfig = filterConfig;
    }
    }
  3. 在项目的 web.xml 中注册 servlet 过滤器:

    <filter>
    <filter-name>AdvancedAccessLogFilter</filter-name>
    <filter-class>your.package.AdvancedAccessLogFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>AdvancedAccessLogFilter</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
  4. 使用修改后的访问日志阀模式创建src/main/webapp/META-INF/context.xml:

    <?xml version='1.0' encoding='utf-8'?>    
    <Context>
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <Valve
    className='org.apache.catalina.valves.AccessLogValve'
    directory='logs'
    prefix='localhost_access_log.'
    suffix='.txt'
    pattern='%h %t %m "%{maskedPath}r" %s %b %D'
    />
    </Context>

如果您想从 Spring 上下文 Autowiring 一些 bean,请添加 SpringBeanAutowiringSupport.processInjectionBasedOnCurrentContext(this);到过滤器的init()方法。

关于logging - 如何配置 Tomcat AccessLogValve 隐藏密码?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/16699113/

28 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com