Don't log property values in PropertySourcesPropertyResolver by default [SPR-14709]

[spring-projects-issues]

Christoffer Sawicki opened SPR-14709 and commented

PropertySourcesPropertyResolver currently logs all values it finds (at level "debug"). This is problematic since some values can be of sensitive nature (e.g. passwords) and some systems have requirements to never log such information.

The safest way to fix this is to modify PropertySourcesPropertyResolver to never log property values at all.

Leaving a hook (like the current logKeyFound) could still be useful for users that would like to — for whatever reason — override this new default behaviour.

(Filing this improvement issue was suggested by @juergen.hoeller in this comment: https://jira.spring.io/browse/SPR-14370?focusedCommentId=132028)

---

Affects: 4.3.2

Issue Links:

• Revise PropertySourcesPropertyResolver's default logging and customizability [SPR-14370] #18943 Revise PropertySourcesPropertyResolver's default logging and customizability

Referenced from: commits 782c99d, fbe7ddb

[spring-projects-issues]

Juergen Hoeller commented

As of 4.3.3, we defensively log a simpler message, just including the key and the source but not the retrieved value anymore. logKeyFound can be overridden to change that format back to a message which includes the value.