Search code examples
securitysap-commerce-cloudaudit-logging

How to see the obscured audit blacklisted "encodedpassword" in SAP Commerce 2011?


The code below shows that I am trying to get the "encodedpassword" attribute value from the User type's JsonAuditRecord using the ReadAuditGateway.

JsonAuditRecord userJsonRecord = getUserJsonAuditRecords_withReadAuditGateway(query);
String encodedPassword = userJsonRecord.getAttributeAfterOperation("encodedpassword");

System.out.println(encodedPassword); //Hybris1808 would print the actual encoded password
System.out.println(encodedPassword); //CX2011 prints **** instead

After upgrading to CX2011, I found out that the User type's encodedPassword is audit blacklisted. Also, any blacklisted attributes would have their value obscured e.g. ****. I understand the rational behind that (possibly a security enhancement). However, to allow our custom code (that requires the un-obscured value of the encodedPassword) to continue working, I have tried to remove it from the audit blacklist by making sure that the two properties below are not set with any value in my local.properties

audit.user.blacklistedProperties=
audit.userpasswordchangeaudit.blacklistedProperties=

However, after performing "ant all" and restarted my local Hybris server, the encodedPassword is still obscured..

May I ask other than changing those properties above, are there other steps that need to be done? e.g. overriding some OOTB methods.

Also, I have tried to read the Audit Report section in the SAP Commerce Documentation, I do not see the audit blacklisting part is being documented. I would appreciate if someone could also provide any links that relates to this topic.


Solution

  • audit.user.blacklistedProperties=encodedpassword
    audit.userpasswordchangeaudit.blacklistedProperties=encodedpassword
    

    Those two properties above are already defined in one of the project.properties files as shown above (where 'encodedpassword' is blacklisted). Thus, if we were to leave those 2 blank in the local.properties file, Hybris will treat it as NULL and it will ignore/skip it. In other words, it won't do anything by declaring empty properties.

    To rectify that, the easiest way is to assign some other fields as the blacklisted properties in the local.properties file.

    e.g.

    audit.user.blacklistedProperties=fooAttribute
    audit.userpasswordchangeaudit.blacklistedProperties=fooAttribute