It’s pretty common to log incoming requests or message bodies via Log component. Usually, logging incoming data is harmless. However, sometime you may accidentally include secure/sensitive information. What to do in this case ?

Masking sensitive information in Apache Camel

Apache Camel supports security masking for logging, when you set logMask flag to true. This feature is available starting from Camel 2.19

You can enable masking at CamelContext level and, also, at route level:

// enable at CamelContext level

// enable at route level
    .log("Processing ${id}")
By default, DefaultMaskingFormatter is used: this formatter searches specified keywords in the source and replaces its value with mask string (xxxxx). It’s important to note, that DefaultMaskingFormatter masks only "passphrase", "password" and "secretKey" keywords. So, if you need to mask other keywords, you’ll have to make custom configuration.

Configuring custom masking formatter

If you want to use a custom masking formatter, you should put it into Camel service registry with the name CamelCustomLogMask. Note that your formatter must implement MaskingFormatter.

However, if you’re using Spring Boot auto-configuration for Apache Camel, it’s actually pretty easy to just configure DefaultMaskingFormatter with your custom masking keywords.

For example, let’s enable masking of value keyword:

public Registry maskingRegistry() {
    MaskingFormatter valueMaskingFormatter =
        new DefaultMaskingFormatter(
                Collections.singleton("value"), (1)
                true,                           (2)
                true,                           (3)
                true                            (4)
    SimpleRegistry simpleRegistry = new SimpleRegistry();
    simpleRegistry.put(Constants.CUSTOM_LOG_MASK_REF, valueMaskingFormatter);
    return simpleRegistry;
1set of keywords, that should be masked
2flag to turn on/off masking of key-value (e.g. in properties component)
3flag to turn on/off masking XML element
4flag to turn on/off masking JSON field

Also, to turn on logMask globally, you need to add following config to your application.yml:

    logMask: true

Talk is cheap. Show me the code.

You can find fully functioning example by following the link.

Oleksii Zghurskyi