Sanitizing Tomcat access log entries
In our logs we're seeing credit-card numbers due to people hitting some of the ULRs in our app with CC info (I have no idea why they are doing开发者_StackOverflow中文版 this). We want to sanitize this information (because of PCI considerations) and not even persist it to disk.
Hence, I want to be able to sanitize the log entry before it hits the log file. I've been looking at Tomcat Valves (Access Log Valve). Is this the way to go?
I was able to solve this problem by extending AccessLogValve
and overriding public log(java.lang.String message)
:
public class SanitizedAccessLogValve extends AccessLogValve {
private static Pattern pattern = Pattern.compile("\\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})\\b");
/*
This method will sanitize any cc numbers in the string and replace them with x's
*/
private String sanitize(String string) {
String sanitizedString = string;
if(string != null) {
StringBuffer buffer = new StringBuffer();
Matcher matcher = pattern.matcher(string);
while(matcher.find()) {
MatchResult matchResult = matcher.toMatchResult();
int start = matchResult.start();
int end = matchResult.end();
String matchedText = string.substring(start, end);
matcher.appendReplacement(buffer, "xxxxxxxxxxxxxxxx");
}
matcher.appendTail(buffer);
sanitizedString = buffer.toString();
}
return sanitizedString;
}
@Override
public void log(String message) {
super.log(sanitize(message));
}
}
You need to compile this into a jar, and then put that jar file in $CATALINA_HOME/lib
.
Then in your server.xml
:
<Valve className="my.valves.SanitizedAccessLogValve"
directory="access_logs" prefix="localhost." suffix=".log"
pattern='%v %h %t "%r" %s %B %T "%{User-Agent}i"'/>
精彩评论