Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't log property values in PropertySourcesPropertyResolver by default [SPR-14709] #19274

spring-projects-issues opened this issue Sep 13, 2016 · 1 comment
in: core type: enhancement


Copy link

@spring-projects-issues spring-projects-issues commented Sep 13, 2016

Christoffer Sawicki opened SPR-14709 and commented

PropertySourcesPropertyResolver currently logs all values it finds (at level "debug"). This is problematic since some values can be of sensitive nature (e.g. passwords) and some systems have requirements to never log such information.

The safest way to fix this is to modify PropertySourcesPropertyResolver to never log property values at all.

Leaving a hook (like the current logKeyFound) could still be useful for users that would like to — for whatever reason — override this new default behaviour.

(Filing this improvement issue was suggested by @juergen.hoeller in this comment:

Affects: 4.3.2

Issue Links:

  • #18943 Revise PropertySourcesPropertyResolver's default logging and customizability

Referenced from: commits 782c99d, fbe7ddb

Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Sep 13, 2016

Juergen Hoeller commented

As of 4.3.3, we defensively log a simpler message, just including the key and the source but not the retrieved value anymore. logKeyFound can be overridden to change that format back to a message which includes the value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
in: core type: enhancement
None yet

No branches or pull requests

2 participants