Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RestTemplate data security issue in DEBUG logging [SPR-9309] #13947

Closed
spring-projects-issues opened this issue Apr 5, 2012 · 3 comments
Closed
Assignees
Labels
in: web status: declined type: enhancement

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Apr 5, 2012

Janet Moyer opened SPR-9309 and commented

I want to use RestTemplate.postForEntity() in application with high security requirements. When debug logging is enabled, HttpEntityRequestCallback.doWithRequest() logs the content of the request being posted. This violates data security requirements by providing a logging back door to be able to view secure content. A workaround is to use RestTemplate.execute(), and supply a custom RequestCallback; this means recoding a lot of useful functionality provided HttpEntityRequestCallback, and requires strict governance to restrict developers from using all other RestTemplate methods.

The suggested improvement is to either dial back debug logging in HttpEntityRequestCallback.doWithRequest so as not to display the request body at all, or provide a configurable option which would turn off this logging.


Affects: 3.0.7

1 votes, 4 watchers

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Sep 10, 2012

Rossen Stoyanchev commented

janet.moyer why do you consider this a security issue? This is debug information for use during development. Hopefully logs and log levels are controlled by administrators only and should not be set to DEBUG. We can possibly change the log level to TRACE but ultimately this is meant to be useful for debugging purposes.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Sep 14, 2012

Janet Moyer commented

We're developing credit card software which must be PCI compliant. PCI is a set of standards which govern credit card security, and aim to protect credit card number. Some of the requirements govern secure handling of logs containing credit card numbers. The simplest, cheapest way to conform is not to log the credit card numbers at all.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Sep 17, 2012

Rossen Stoyanchev commented

Janet Moyer, is disabling DEBUG logging for the RestTemplate not an option?

@spring-projects-issues spring-projects-issues added status: declined type: enhancement in: web labels Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web status: declined type: enhancement
Projects
None yet
Development

No branches or pull requests

2 participants