Don't log property values in PropertySourcesPropertyResolver by default [SPR-14709] #19274
Assignees
Labels
in: core
Issues in core modules (aop, beans, core, context, expression)
type: enhancement
A general enhancement
Milestone
Comments
|
Juergen Hoeller commented As of 4.3.3, we defensively log a simpler message, just including the key and the source but not the retrieved value anymore. |
spring-projects-issues
added
type: enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Christoffer Sawicki opened SPR-14709 and commented
PropertySourcesPropertyResolvercurrently logs all values it finds (at level "debug"). This is problematic since some values can be of sensitive nature (e.g. passwords) and some systems have requirements to never log such information.The safest way to fix this is to modify
PropertySourcesPropertyResolverto never log property values at all.Leaving a hook (like the current
logKeyFound) could still be useful for users that would like to — for whatever reason — override this new default behaviour.(Filing this improvement issue was suggested by
@juergen.hoeller in this comment: https://jira.spring.io/browse/SPR-14370?focusedCommentId=132028)Affects: 4.3.2
Issue Links:
Referenced from: commits 782c99d, fbe7ddb
The text was updated successfully, but these errors were encountered: