Thanks for the response Jacob.

I think I should be more clear about my use case.

I am actually not permitted to store any of these confidential information
any where including ( the access logs ). That's why I want to encrypt these
information. I can remove the entire query string from being logged at all
but these data can be very useful to us so we do want to log them ( without
exposing the confidential value in the request ).

Thanks!

John



On 7/20/07, Jacob Rhoden <jacob-lists@(protected):
>
> John Hui wrote:
> > I currently have Tomcat access log enable which will log all the query
> > that
> > hits my web server. Some of the information is "confidential". So is
> > there
> > a mechanism that I can use to add a interceptor or filter to "encrypt"
> > those
> > information before it gets log into the access log?
> >
> > Any suggestion or pointer would be greatly appreciated!
> >
> > John
> >
> It would be better to alter the application (if you can) to not include
> private information inside url's.
>
> But either way, just make the logs read writeable only by tomcat. That
> way the user has to have access to tomcat before they can read the logs.
> And if the user has access to tomcat, then they will be able to read
> your logs no matter wether your logs are encrypted or not. (ie if the
> user has access to tomcat they can simply monitor all incoming traffic
> via other means, and get much more confidential information than just
> urls and ip addresses)
>
> Best Regards,
> Jacob
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@(protected)
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
>