Hiding sensitive data

Using the debugger might expose sensitive data within the application such as e-mail addresses, account numbers, and so-on. You can configure blocklists and blocklist exceptions to block the debugger agent from accessing this sensitive data.

Hidden data is reported by the debugger as "blocked by admin", as shown in the following screenshot:

Debugger reports hidden text as "blocked by admin"

Recommendations

As you configure or update your blocklist files, note the following recommendations:

  • Use the Java agent version 2.27 or newer. For installation information, see Setting up Cloud Debugger for Java.

  • Note that the configuration file naming and keywords have been updated to blocklist. Update your files accordingly.

Configure your file

The following configuration can be used as a starting point and provides inline documentation:

# Cloud Debugger Blocklist Configuration File
#
# == Format ==
#
#   This configuration file accepts the following keywords:
#
#    - blocklist
#    - blocklist_exception
#
#   The debugger uses the following rules to determine if a variable's data
#   should be hidden, using the variable's type as the match criteria.
#
#   | Matches `blocklist` | Matches `blocklist_exception` | Data is |
#   |---------------------|-------------------------------|---------|
#   | no                  | no                            | shown   |
#   | no                  | yes                           | shown   |
#   | yes                 | no                            | hidden  |
#   | yes                 | yes                           | shown   |
#
#   Patterns listed under "blocklist" and "blocklist_exception" have the
#   following format:
#
#   [!]<type>
#
#   - `type` is a type prefix (such as a class or package name). Any
#      nested types will also match the pattern. For example, if you
#      specify a package name, the package and all of it's subtypes will
#      match. Note that glob patterns such as `*` can be used anywhere in
#      the type name.
#   -  By prefixing a pattern with an exclamation point, `!`, the pattern
#      is considered an "inverse match" which evaluates to true for any
#      type that does not match the provided pattern.
#   -  The debugger makes no attempt to verify that specified patterns
#      will actually match anything. If you have a misspelling in your
#      pattern, then there will be no reported errors but the pattern will
#      not work as intended.
#
# == Verification ==
#
#   A verification tool is available and can be downloaded with the
#   following command:
#
#   wget https://storage.googleapis.com/cloud-debugger/compute-java/debian-wheezy/debugger_blocklist_checker.py
#
#   This tool can be used to check the configuration file for syntax errors.
#   It can also be used to experiment with configuration files locally
#   without having to deploy a real application.
#
#   A basic usage example:
#
#       debugger_blocklist_checker.py debugger-blocklist.yaml
#
#   You can also use the tool to check if symbols will be blocklisted
#
#     echo com.java.Integer | \
#       debugger_blocklist_checker.py debugger-blocklist.yaml --check

# Uncomment The line below to add blocklists
#blocklist:
#  - "java.security"  # Example package

# Uncomment The line below to add blocklist exceptions
#blocklist_exception:
#  - "java.security.Timestamp"  # Example class

Examples

The following example configuration hides data within a single class from the debugger:

blocklist:
- "com.sales.Ticket"

It is also possible to hide packages by specifying the package name:

blocklist:
- "com.sales"

In some cases, it can be useful create exceptions to blocklist rules. This can be done with a blocklist_exception:

blocklist:
- "com.sales"
blocklist_exception:
- "com.sales.testing"

Finally, it's possible to specify an inverse pattern, where classes that do not match a pattern are blocklisted.

blocklist:
- "!com.sales"

Configuration file location

The configuration file must be named debugger-blocklist.yaml and can be placed anywhere in the class path. A reasonable place is at the root of the .jar file. The following sections discuss how to accomplish this.

Use the jar command

To insert or update a configuration file in a .jar file, the jar command can be used. To add the configuration file debugger-blocklist.yaml to the archive TicketTracker.jar, use the following command:

jar uvf TicketTracker.jar debugger-blocklist.yaml

Use Ant

To insert the configuration file into a JAR using the Ant build system, use Ant's built-in jar task. For example, the following distribute target uses the jar task to add the configuration file debugger-blocklist.yaml to the archive TicketTracker.jar.

<target name="distribute" depends="compile">
  <jar destfile="${distributionDir}/TicketTracker.jar" >
    <fileset dir="${outputDir}"/>
    <fileset dir="${sourceDir}"/>
    <fileset file="debugger-blocklist.yaml" />
  </jar>
</target>

Use Maven

To insert the configuration file into a package managed by the Maven build system, place the debugger-blocklist.yaml file inside the src/main/resources directory, which you may need to create. Build the project and confirm that debugger-blocklist.yaml was copied to target/classes.