I have an application based on Apache Storm 2.3. The application also have jersey dependencies such as
<dependency>
<groupId>org.glassfish.jersey.core</groupId>
<artifactId>jersey-common</artifactId>
<version>2.29</version>
</dependency>
There is also 1 library dependency(let's call it A) which also inherently calls the jersey client.
Problem Statement: I am able to control the logging done by my application, such as masking the sensitive token. However, the masking settings done in log4j2.xml are not getting applied to the calls made by A and the sensitive info is getting printed in logs.
On debugging, it was getting printed by LoggingFeature class in jersey-common-2.29.jar. Something like:
- org.glassfish.jersey.logging.LoggingInterceptor log INFO: 1 * Sending client request on thread ...*
How can I mask the token printed by the calls made by this library.
The complete flow is:
I call utility function of library A(pass the token and other info as parameter) -> Library A makes the http call -> token gets printed.
I tried multiple masking techniques such as described here: https://alesaudate.medium.com/masking-sensitive-data-in-log4j-2-the-simplest-way-possible-2c2e74c17f2d or https://facingissuesonit.com/log4j2-how-to-mask-logs-personal-confidential-spi-information/.
P.S -> I can't change the logging library, as it might affect the current logging.
Log4j Core can mask your messages only if a library actually uses it as logging backend.
Jersey uses
java.util.loggingas logging API (cf. source code), which is the most difficult to redirect to a non standard logging backend.In order to do so, you need to set the
java.util.logging.managerJava system property to a differentLogManager, before any logging starts, which usually means on the command line.In order to do it in an Apache Storm distribution you need to:
log4j-julto the application classpath (libsubfolder of the distribution),storm-env.shfile in theconfdirectory of the distribution with content: