Config Filter Chains and Logging

[Mark Struberg]

Just one more thing...

When you have sensitive information to configure then it's always a good idea to not have it in plain text. And even if you do (maybe on a file which only root can access) then it is an even worse idea to print the configured value into the log files... ;)

In Apache DeltaSpike we came up with a filtering chain [1][2] and special internal methods to resolve a value intended for logging [3].

This could e.g. be used to have the ops team encode a password with their private key and use the filter chain + PKI to decode it on the fly inside the server.

We should btw also define logging categories and the log level the info about configured values gets printed out. This is very important from an ops point of view.

LieGrue,

strub

PS: I guess from now it's clear to everyone that the DeltaSpike team did not design this in an ivory tower but we use this stuff in huge projects in governments, banks, insurrance companies, stock exchanges, etc

[1] https://github.com/apache/deltaspike/blob/master/deltaspike/core/api/src/main/java/org/apache/deltaspike/core/spi/config/ConfigFilter.java 

[2] https://github.com/apache/deltaspike/blob/master/deltaspike/core/api/src/main/java/org/apache/deltaspike/core/api/config/ConfigResolver.java#L443

[3] https://github.com/apache/deltaspike/blob/master/deltaspike/core/api/src/main/java/org/apache/deltaspike/core/api/config/ConfigResolver.java#L456