proposed implementation for security logging, needs review.

[preichel-cg]

569

• new class SecureLogging which provides Markers for case-specific logging.
• new optional dependency org.owasp which extends functionality of Markers.
• corresponding appenders for console and file with example filter implementations.
• MaskingConverter for confidential information, until OWASP issue is fixed.

[oasp-ci]

Can one of the admins verify this patch?

[preichel-cg]

@hohwille Hi Jörg, I have addressed all of your mentioned points and made 2 commits, which now show up in this PR.

• I added a test class for SecureLogging, which checks logging, filtering and masking when using logback.
• Unfortunately I did not yet succeed to create one when using log4j instead...

[preichel-cg]

Hi Jörg, the new main changes are:

• SecureLoggingLogbackTest extends ModuleTest
• use AssertJ
• use //given - //when - //then
• rename static variables
• change logger class and add casts to logback logger in doSetUp/doTearDown.

open points:

• your remark that local Marker variables are contradictory: for me personally they improve readability (e.g. assertThat statements are much shorter) and reduce the chance of making inconsistent changes. And especially with the //given - //when - //then logic they make clearer, that their correct initialization is a particular feature which shall be tested. But I will change it if you insist ;-).

Cheers, Patrick

[hohwille]

@preichel-cg 👍 thanks for your changes. Now everything looks great. I do not have any further concerns except maybe:

// Check the filter chain decision for this event
// (does not work) assertThat(this.mockAppender.getFilterChainDecision(loggingEvent)).isEqualTo(FilterReply.DENY);

However, I am fine with merging this and we can still address such fine details separately. I will wait for the next architects meeting to announce the merge and will then hopyfully merge.

[hohwille]

Still no concerns. Merging now.