Prevent Logging of authorization header with HTTPCaller

Hmmmm You could disable logging entirely, but then you’ll have no logs…

Could you transition to using a webconnection to authenticate against your service? If its using Oauth you can setup your own webconnection for it: https://support.safe.com/hc/en-us/articles/25407422190861-Creating-an-OAuth-2-0-Web-Service-and-Connection-in-FME

Thanks for your answer.

How could I disable logging entirely for my .fmw only?

I’m not an administrator on the FME server machine nor have I access to the web service using bearer token authorization.

Under FME Options > Translation > Log Message Filter you have the option to specify what level of logging you want for Form (Desktop).

In your instance, you should be fine un-ticking Information and leave Errors, Warnings and Statistics enabled

Once you’ve updated that, you can then publish to Flow (Server) and the workspace will maintain those log levels.

The setting you changed is a Form (Desktop) level setting, so it will apply to the application, and any subsequent workspaces you open will adopt that level of logging. Therefore, it is a good idea to go in and revert back to previous settings once you’ve published the workspace.

To help make sure that subsequent Republishes for that one workspace are updated with the correct logging, it is a good idea to have an annotation in the workspace specifying that Information logging needs to be disabled before publishing to Flow (Server)

Thanks for your answer hkingsbury,

This approach doesn’t change the fmw file. Is it supposed to work with FME 2021 desktop and server versions ?

I’m curious where you see it being logged.

I would also second the suggestion of the web connection if that’s at all an option.

If the token is used as a Published Parameter you could make the token be of type “Password”. FME will then treat it as ‘*’ in the log

 

Hi,

hkingsbury : I think that this is the only option but unfortunately I don’t have the necessary permissions in production environment. I’ll try in staging (if possible since our deployment is done via teamcity) and if it works, I’ll ask for it to be published from FME Desktop.

virtualcitymatt: The token is obtained at runtime with a first call to another HttpCaller (which displays the basic authentication encoded in base64 which is also annoying cause it’s easily decryptable and there’s no ways of hiding it with all the constraints I’m facing). I then call another HttpCaller with the token which appears in the log:
 

…

User-Agent: FME/2021.7.42.21821 libcurl/7.79.1 (OpenSSL/1.1.1n) Schannel zlib/1.2.11 WinIDN ibssh2/1.9.0 nghttp2/1.44.0

Accept: */*

Accept-Encoding: deflate, gzip

Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjA4…

Look further down in the log when the http call is actually happening. If it doesn’t appear, I guess another solution would be to create a custom transformer and passing the token as a parameter of type password. I’m gonna try and let you know.

Thanks to both of you for your answers/inquiries. The solution is always to never give up !

This honestly looks like a debug log - this isn’t usually logged unless debug logging is on. Check the settings to make sure that FME Debug logging is not checked

virtualcitymatt : The goal is to avoid the token to be displayed in FME server log which is the case now. As stated I don’t have to necessary persmissions on our fme server 2021 to modify this setting. If I did, would it be possible to change it only for this specific fmw ?

Version 2022 is using LOG_FILTER_MASK but I don’t know when our server will be updated.