Menu
Apache httpclient seems to log passwords in cleartext when debug logging is turned on.
Is there a way to disable this? So that I can see the rest of the debug logging but not the credentials?
904
Create a SHA1 hash of the password in memory before you send it on the network.
MessageDigest md = MessageDigest.getInstance("SHA-1");
byte[] sha1hash = new byte[40];
md.update(text.getBytes("UTF-8"), 0, text.length()); // TODO verify the lengths are the same
sha1hash = md.digest();
http://www.mkyong.com/java/java-sha-hashing-example/
If you absolutely need cleartext passwords, you have several choices:
You can disable logging for the headers or set it to a level higher than debug: Disable HttpClient logging
You can dynamically disable the logging right before you send the password and then turn it back on again: Dynamically configuring Apache Http client
You can implement your own Logger handler/formatter or subclass one of the basic ones and search the output for your password and replace it with XXXXXXXXX. Then set the handler to your class: https://hc.apache.org/httpcomponents-client-ga/logging.html
168
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
