You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Many of Log4j components require a password attribute (e.g. SslConfiguration, JdbcAppender, etc.), but only BasicAuthorizationProvider uses a pluggable PasswordDecryptor service to interpret the meaning of the password field.
I would propose to extend the usage of this service to all password fields and provide two implementations of PasswordDecryptor:
one implementation that interprets the "password" as the path to a file that contains the password,
one implementation that interprets the "password" as the name of an environment variable that contains the password.
This would allow us to deprecate configuration properties such as log4j2.keyStorePasswordFile and log4j2.keyStorePasswordEnvironmentVariable.
Disclaimer: I am fully aware that a real password encryption/decryption mechanism doesn't make sense, since configuration sources must be trusted anyway and I totally agree with the remarks about password encryption on Tomcat's Wiki.
However some auditors and analysis tools might have problems with plain text passwords in configuration files and this feature will allow users to provide their own workarounds.
The text was updated successfully, but these errors were encountered:
FYI, in our configurations we use something like this in our Spring application's bootstrap.yml. This allows us to retrieve our logging configuration, with overrides, from our Spring Cloud Config Service. Note that the user name and password specified in bootstrap.yml ONLY work for developer testing on their laptop. When deployed we specify the spring username and password via system property overrides on the command line.Those are stored in a vault and accessed only from the deployment scripts. SCC supports Basic authentication. In other words, in my case I would have no use for the password decryptor as whatever we do has to be supported by Spring.
Many of Log4j components require a password attribute (e.g.
SslConfiguration
,JdbcAppender
, etc.), but onlyBasicAuthorizationProvider
uses a pluggablePasswordDecryptor
service to interpret the meaning of the password field.I would propose to extend the usage of this service to all password fields and provide two implementations of
PasswordDecryptor
:This would allow us to deprecate configuration properties such as
log4j2.keyStorePasswordFile
andlog4j2.keyStorePasswordEnvironmentVariable
.Disclaimer: I am fully aware that a real password encryption/decryption mechanism doesn't make sense, since configuration sources must be trusted anyway and I totally agree with the remarks about password encryption on Tomcat's Wiki.
However some auditors and analysis tools might have problems with plain text passwords in configuration files and this feature will allow users to provide their own workarounds.
The text was updated successfully, but these errors were encountered: