问题描述

我的应用程序出现问题，它记录了请求及其查询参数，其中查询参数可能包含访问日志中的敏感数据.应用程序配置了logback.xml&嵌入式码头.

I have got an issue with my application, it logs request along with its query param which may contain sensitive data in access log. application is configured with logback.xml & embedded jetty.

jetty服务器是使用以下accessLogCustomer定制的

jetty server is customized with below accessLogCustomer

public JettyServerCustomizer accessLogCustomizer() {
  return server -> {
    Slf4jRequestLog requestLog = new Slf4jRequestLog();
    requestLog.setExtended(true);
    requestLog.setLogLatency(true);
    requestLog.setPreferProxiedForAddress(true);
    requestLog.setLogTimeZone(userTimezone == null ? ZoneId.systemDefault().getId() : userTimezone);
    requestLog.setLogDateFormat("Y-MM-dd HH:mm:ss, SSS Z");

    RequestLogHandler requestLogHandler = new RequestLogHandler();
    requestLogHandler.setRequestLog(requestLog);
    requestLogHandler.setHandler(server.getHandler());
    server.setHandler(requestLogHandler);
  };
}

logback.xml

    <appender name="access" class="ch.qos.logback.core.rolling.RollingFileAppender">
        <File>${logs.dir}/abc-access.log</File>
        <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
            <layout class="ch.qos.logback.classic.PatternLayout">
                <Pattern>%m %n</Pattern>
            </layout>
            <charset>UTF-8</charset>
        </encoder>
        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
            <FileNamePattern>${logs.dir}/abc-access.%d.log.gz</FileNamePattern>
        </rollingPolicy>
    </appender>

    <logger name="org.eclipse.jetty.server.RequestLog" additivity="false">
        <appender-ref ref="access"/>
    </logger>

请求已登录访问日志

192.168.0.100 - - [2021-05-20 15:48:15,093 +0530] "POST /myAPI/v2/customer/message?myID=123&messageText=hello HTTP/1.0" 200 0 "-" "PostmanRuntime/7.26.8" 475

我正在尝试从访问日志中避免messageText，但没有任何解决方案.

I am trying to avoid messageText from access log, but not getting any solution.

推荐答案

请改用 CustomRequestLog 和 Slf4jRequestLogWriter .

您需要特殊格式选项 ％U ，它发出URL路径，但不包含查询字符串(可用)作为％q btw)

You'll want the special format option %U which emits the URL path, without the query string (which is available as %q btw)

您得到的配置看起来像这样...

Your resulting configuration would look like this ...

Slf4jRequestLogWriter slfjRequestLogWriter = new Slf4jRequestLogWriter();
String format = "%{client}a - %u %t %m \"%U\" %s %O \"%{Referer}i\" \"%{User-Agent}i\"";
CustomRequestLog customRequestLog = new CustomRequestLog(slfjRequestLogWriter, format);
server.setRequestLog(customRequestLog);

玩转格式行，阅读CustomRequestLog 上的 Javadoc 了解您可以做什么.

Play with the format line, read the Javadoc on CustomRequestLog to know what you can do.

一些注意事项:

• 示例格式并非严格遵循扩展NCSA格式(因为它缺少HTTP版本部分，并且HTTP方法不在引用部分中，但这通常对许多用户来说不是问题)
• Slf4jRequestLogWriter 仅与获取格式化的日志行并将其发送到slf4j-api有关，它什么都不做.
• RequestLogHandler 已过时，不再推荐使用(因为它不会记录错误的请求和无上下文请求)，请改用 Server.setRequestLog(RequestLog)

• The example format is not strictly following the Extended NCSA format (as it's missing the HTTP version portion, and the HTTP method is outside of the quoted section, but that is usually not a problem for many users)
• Slf4jRequestLogWriter is only concerned with taking the formatted log line and sending it to the slf4j-api, it does nothing else.
• RequestLogHandler is deprecated and not a recommended usage anymore (as it does not log bad requests and context-less requests), use the Server.setRequestLog(RequestLog) instead.

这篇关于使用Spring Boot应用程序的嵌入式Jetty服务器在访问日志中记录请求参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！