Masking Security-Sensitive Data in the HTTP Access Log 

The HTTP Provider Service applies masking to the value of security-sensitive URL parameters, cookies, or headers that might be sent with the request. Those values appear as five dots in the relevant log file. The masking can be applied for both Common Log File format, and the SAP log format that you might be using. For more information about log formats, see Logging in Common Log File Format.

HTTP headers values are not logged by default. The masking can be applied only if you have configured the LogHeaderValue property of the HTTP Provider Service. For more information, see Logging Additional Information.

When using HTTP communication logging, you should consider your security policy, user access rights to log files and the mechanisms that deployed Java EE applications use to exchange security sensitive information over HTTP.

The AS Java security-sensitive information in the HTTP communication logs as an additional step, based only on the parameters definitions and HTTP headers listed below. If you transmit security-sensitive information using custom parameters or custom defined headers, masking is not applied.

The following is a list of all elements masking applies to:

Path Parameters

·        jsessionid

Request Parameters

·        j_password

·        j_username

·        j_sap_password

·        j_sap_again

·        oldPassword

·        confirmNewPassword

·        ticket

HTTP Headers

·        Authorization

·        Cookie

○       JSESSIONID

○       MYSAPSSO2

The same masking applies to the above elements also in cases when the communication is performed over HTTPS.