0

我已经为 struts2 启用了日志记录。使用基本的 log4j 配置,我看到当我提交登录表单时,用户名/密码被打印在参数拦截器的日志中。无论如何要禁用/加密它,以便用户名/密码不会显式打印在日志中?如果还需要什么请告诉我??

我的 Log4j 配置:

# Direct log messages to a log file
log4j.appender.file=org.apache.log4j.RollingFileAppender
log4j.appender.file.File=C:\\logfile.log
log4j.appender.file.MaxFileSize=10MB
log4j.appender.file.layout=org.apache.log4j.PatternLayout
log4j.appender.file.layout.ConversionPattern=%d{ABSOLUTE} %5p %c{1}:%L - %m%n

# Direct log messages to stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.Target=System.out
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p %c{1}:%L - %m%n

# Root logger option
log4j.rootLogger=debug, file, stdout
4

1 回答 1

0

Find the source of your version of the ParameterInterceptor on Jarvana or similar sites, then recompile it:

  • with an encrypted logging functionality

or

  • without the logging functionality (and hope you'll never need to see that logs again :)

then substitute it to the real ParameterInterceptor.

But seriously... who cares ?

As said in comments, if they're inside the system, this is your last problem.

Edit: as suggested by AleksandrM, for Struts you can find the source directly from the official site: http://struts.apache.org/development/2.x/

于 2013-03-29T23:56:21.740 回答