jsonObject as string - searching for regular expression to remove password field

Question

I have a json String which will have somewhere in its content a string like this:

 "password": "password2"

This can be anywhere in the json string, so don't assume it's on the first level. it can even be in a jsonArray. So I need to search the entire string and remove this field, or put its value as null.

So I need to be able to search the entire string and replace the password. For example the string could look like this:

I just want it for logging. My issue is, I want to remove the password value as I am sharing it with a 3rd party.

I need in java to use a regular expression that will search this string and replace the password value with an empty string, or I can do md5 of password even. It must not fail if there is no password string existing. How can I do this? So to be clear, given any input as a string I want the result after filter to be:

 "password": ""

Or it can be a md5 of password value instead of null if its easier. Can you help?

So the function I want to create will look like this:

public String removePasswordFromJsonString(String jsonString){


  //.. do the regualar expression work here....

  return jsonString;

}

Answer 1

Try this ,

String response="{ \"password\": \"password2\", \"otherValue\": \"c18bd5a4-f734-44bf-be77-56b1267dcb9e\" }";
try {
    JSONObject jsonObject=new JSONObject(response);
    jsonObject.put("password", "");
    System.out.println(jsonObject.toString());
} catch (JSONException e) {
    // TODO Auto-generated catch block
    e.printStackTrace();
}

Output :

{"password":"","otherValue":"c18bd5a4-f734-44bf-be77-56b1267dcb9e"}

Note : the above code will set your password field empty , no matter where is it , sequence doesn't matter , it will just overwrite that field with empty string

---

If you still like to use regex then apply this

Regex Demo

    String response="{\n \"email_address\": \"[email protected]\",\n \"password\": \"password1\",\n \"device_id\": \"wtnmrrwyhjeatdcnt\",\n \"device_name\": \"xshjavwuqmtnkhuuxkjfgsnfnd\",\n \"device_token\": \"03118557-2755-495b-f97e\"\n}";
    try {
        
        String newstr= response.replaceAll("(?:\\bpassword)\\W+\\w+", "password\":\"");
        JSONObject jsonObject=new JSONObject(newstr);
        if (jsonObject.getString("password").isEmpty()) {
            System.out.println("empty password" + jsonObject.getString("password"));
        }           
    } catch (JSONException e) {     }

Output:

empty password

(?:\\bpassword)\\W+\\w+

(?:\\bpassword) match password string

• ?: to match the token
• \\b boundary mean don't match something like another_password

\\W+ match any non-word character mean special characters like ,\n

\w+ capture one or more words , to capture string after \":" etc

Answer 2

Temporarily remove the password from the object while you convert it to a JSON string.

I don't know the exact Java code, but here is pseudo-code:

tempPass = jsonObject.password;
jsonObject.password = "";
jsonString = jsonObject.toString();
jsonObject.password = tempPass;

If you know that the password will never contain a double quote (a dangerous assumption in general), you could use the regular expression "password":\s*".*?" and replace it with "password": "".

String regex = "\"password\":\\s*\".*?\"";