csrf - 更改 OWasp CSRFGuard 的日志记录级别
问题描述
我已经在我的 Java 应用程序中成功安装了OWasp CSRFGuard 。
我的CSRFGuard.Properties文件包含以下内容:
# Logger
#
# The logger property (org.owasp.csrfguard.Logger) defines the qualified class name of
# the object responsible for processing all log messages produced by CSRFGuard. The default
# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class logs all messages
# to System.out which JavaEE application servers redirect to a vendor specific log file.
# Developers can customize the logging behavior of CSRFGuard by implementing the
# org.owasp.csrfguard.log.ILogger interface and setting the logger property to the new
# logger's qualified class name. The following configuration snippet instructs OWASP CSRFGuard
# to capture all log messages to the console:
#
# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
我可以从https://www.javatips.net/api/OWASP-CSRFGuard-master/csrfguard/src/main/java/org/owasp/csrfguard/log/JavaLogger.java看到不同的日志记录级别
LOGGER.log(Level.FINEST, exception.getLocalizedMessage(), exception);
break;
case Debug:
LOGGER.log(Level.FINE, exception.getLocalizedMessage(), exception);
break;
case Info:
LOGGER.log(Level.INFO, exception.getLocalizedMessage(), exception);
break;
case Warning:
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
break;
case Error:
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
break;
case Fatal:
LOGGER.log(Level.SEVERE
如何将日志记录级别更改为CSRFGuard.Properties仅显示Level.WARNING
目前,每个请求都被分析和记录。
INFO: CsrfGuard analyzing request example.com/examplepage.jsp
解决方案
替换以下行CSRFGuard.Properties
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
和
org.owasp.csrfguard.Logger=com.myPackage.MyLogger
并添加一个新类如下(基于此代码),在构造函数中设置所需的日志级别MyLogger()(在下面的示例中,我将最小日志级别设置为Level.WARNING)
package com.myPackage
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.csrfguard.log.LogLevel;
public class MyLogger implements org.owasp.csrfguard.log.ILogger {
private static final long serialVersionUID = 1L;
private final static Logger LOGGER = Logger.getLogger("Owasp.CsrfGuard");
public MyLogger() {
LOGGER.setLevel(Level.WARNING);
}
@Override
public void log(String msg) {
LOGGER.info(msg.replaceAll("(\\r|\\n)", ""));
}
@Override
public void log(LogLevel level, String msg) {
// Remove CR and LF characters to prevent CRLF injection
String sanitizedMsg = msg.replaceAll("(\\r|\\n)", "");
switch(level) {
case Trace:
LOGGER.finest(sanitizedMsg);
break;
case Debug:
LOGGER.fine(sanitizedMsg);
break;
case Info:
LOGGER.info(sanitizedMsg);
break;
case Warning:
LOGGER.warning(sanitizedMsg);
break;
case Error:
LOGGER.warning(sanitizedMsg);
break;
case Fatal:
LOGGER.severe(sanitizedMsg);
break;
default:
throw new RuntimeException("unsupported log level " + level);
}
}
@Override
public void log(Exception exception) {
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
}
@Override
public void log(LogLevel level, Exception exception) {
switch(level) {
case Trace:
LOGGER.log(Level.FINEST, exception.getLocalizedMessage(), exception);
break;
case Debug:
LOGGER.log(Level.FINE, exception.getLocalizedMessage(), exception);
break;
case Info:
LOGGER.log(Level.INFO, exception.getLocalizedMessage(), exception);
break;
case Warning:
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
break;
case Error:
LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
break;
case Fatal:
LOGGER.log(Level.SEVERE, exception.getLocalizedMessage(), exception);
break;
default:
throw new RuntimeException("unsupported log level " + level);
}
}
}
推荐阅读
- reactjs - 为什么 React.StrictMode 会改变组件的行为?
- nmcli - 设备的 MAC 和连接不匹配
- java - 多行泛型声明的约定
- sharepoint - 如果 SPFX PNP ListView 被隐藏并在 Modern 页面上再次显示,则无法在页面上加载
- sql - 如何解决此错误 - ORA-02291: 违反完整性约束 (YXK.SYS_C0010166) - 未找到父密钥
- python - 如何在一排 pandas 数据框中找到多种数据?
- javascript - 如何在 JS 中对 3 个部分的对象数组进行排序?
- haskell - cabal 3.2 版:无法识别的命令:沙箱(尝试 --help)
- javascript - 使用 FileReader 将输入文件数组转换为 base64
- c++ - gdb 中没有加载符号?