'Prevent printing passwords in SOAP services log files
public boolean handleMessage(SOAPMessageContext context) {
SOAPMessage message = context.getMessage();
boolean isOutboundMessage = (Boolean) context.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
if (!isOutboundMessage) {
try {
Document document = message.getSOAPBody().extractContentAsDocument();
if(document != null && document.getElementsByTagName("password") != null){
Node node = document.getElementsByTagName("password").item(0);
if(node != null){
node.setTextContent("*****");
}
String xmlDoc = getStringFromDocument(document);
logger.info("Received paylaod: " + xmlDoc);
}
Map<String, List<String>> headers = (Map<String,List<String>>)context.get(MessageContext.HTTP_REQUEST_HEADERS);
headers.forEach((key, value) -> logger.info(key + ":" + value));
} catch (SOAPException e) {
logger.error("Exception while parsing payload as document", e);
}
}
return true;
}
I want to avoid printing passwords to the logs. So i created my own custom handler. So my question is, does it update the actual soapMessage with dummy password if i follow the above approach?. I don't want it to update the soapMessage with dummy password because i am not sure if the handler will be executed before or after authentication.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|