Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hashing remote user #347

Open
hsellik opened this issue Jun 16, 2023 · 1 comment
Open

Hashing remote user #347

hsellik opened this issue Jun 16, 2023 · 1 comment
Labels
type:question A question about usage, support, internal behavior, etc.

Comments

@hsellik
Copy link

hsellik commented Jun 16, 2023

Question

Is there a way to hash the remote user that gets logged?

There used to be LogbackAccessSecurityAttributesSaveFilter which enabled to override the doFilter() function, but it has been removed in the newer version of this starter.
@hsellik hsellik added the type:question A question about usage, support, internal behavior, etc. label Jun 16, 2023
@hsellik
Copy link
Author

hsellik commented Jun 20, 2023

Went for a hack like this:

@Component
public class FilterConfiguration {

  @Bean
  @NotNull
  public FilterRegistrationBean<LogbackAccessSecurityServletFilter> logbackAccessSecurityServletFilter() {
    return new FilterRegistrationBean(new CustomSecurityAttributesSaveFilter());
  }

}

public class CustomSecurityAttributesSaveFilter implements Filter {

  @NotNull
  public static final String REMOTE_USER_ATTRIBUTE = Reflection.getOrCreateKotlinClass(LogbackAccessSecurityServletFilter.class).getQualifiedName() + ".remoteUser";

  @Override
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {
    saveSecurityAttributes((HttpServletRequest) request);
    chain.doFilter(request, response);
  }

  private void saveSecurityAttributes(HttpServletRequest request) {
    request.setAttribute(REMOTE_USER_ATTRIBUTE, hash(request.getRemoteUser()));
  }

}

Is there a reason that LogbackAccessSecurityServletFilter is final? Otherwise I could override the doFilter there and create my own FilterRegistrationBean without any warnings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:question A question about usage, support, internal behavior, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hsellik