Spring-boot: Enhance WebRequestTraceFilter to allow excluding capture of certain request headers (e.g. Authorization)

Created on 2 Jul 2016  路  5Comments  路  Source: spring-projects/spring-boot

The WebRequestTraceFilter (which captures the data for the Spring boot trace actuator feature) currently captures _all_ request headers. It's currently not possible to configure / provide a list of headers which should not be captured.

The most common example of where it may be required to exclude a header is "Authorization. If this header is captured (and then displayed) then operations personel will have access to user credentials.

I would propose adding a collection to TraceProperties - something like "excludedHeaders" which is then checked against within WebRequestTraceFilter.getRequestHeaders() WebRequestTraceFilter.getResponseHeaders().

If you agree with the enhancement I'd be happy supply a pull request in the coming days. Thanks.

enhancement
Source
picture imberda

Most helpful comment

I take your point around it being a bit complex. In my case our ops team generally find the headers interesting (for example X-Forwarded-For).

Might it be possible to add @ConditionalOnMissingClass to the filter bean definition in TraceWebFilterAutoConfiguration and make the getRequestHeaders() method protected? That way if people want to customise they can define their own versions of the filter.

picture imberda on 4 Jul 2016
👍3

All 5 comments

Have you seen the management.trace.include property?

philwebb picture philwebb on 2 Jul 2016

Hi Phil,

From what I can tell, this property allows for including all request (or response) headers, but doesn't provide a means of saying "I want to include all request headers except for XYZ".

Thanks,

Daniel.

imberda picture imberda on 3 Jul 2016

Adding support for including/excluding specific headers feels to like it might be too complex.

Putting @philwebb's question another way: what headers do you need to be able to see that prevents you from just switching off header inclusion entirely?

wilkinsona picture wilkinsona on 3 Jul 2016

I take your point around it being a bit complex. In my case our ops team generally find the headers interesting (for example X-Forwarded-For).

Might it be possible to add @ConditionalOnMissingClass to the filter bean definition in TraceWebFilterAutoConfiguration and make the getRequestHeaders() method protected? That way if people want to customise they can define their own versions of the filter.

imberda picture imberda on 4 Jul 2016
👍3

@imberda Great suggestion but rather than make getRequestHeaders() protected I've added a new postProcessRequestHeaders() method. Let me know if that doesn't do what you need.

philwebb picture philwebb on 7 Jul 2016
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

binarylegit picture binarylegit  路  3Comments
wilkinsona picture wilkinsona  路  3Comments
prasenjit-net picture prasenjit-net  路  3Comments
philwebb picture philwebb  路  3Comments
shahid21st picture shahid21st  路  3Comments